The Research And Application Of Snort

With the rapid development of Internet, the security problem of computer systemand network is increasingly serious. Now, one can download kinds of attack toolsfrom Internet and plentiful new methods of intrusion appear continuously. It makesnetwork be attacked more easily. Especially MMC (Malicious Mobile Code) such asInternet worm and so on has made global scale Internet paralysis for many times.Intrusion Detection technology is one of important component of network securityarchitecture. The urgent requirement of IDS (Intrusion Detection System) causes therelative research and applications into an important topic in the network security field.Based on network protocols of Ethernet, the paper analysed the concept of theinvasion, the invasion of commonly used methods and IDS classification. The papermade a detailed analysis of the invasion and its principles to achieve the IDS Snort,including network packet capture module, network protocols analysis module, rulesexplanation module, alarms incident detection module and storage module and so on.The paper systematically analysed network protocols:Arp, RARP, IP, TCP, UDP,ICMP, and methods of the rule explanation to load records in identity files andmethods of matching patterns for the matching packets with identity records toanalyse the behaviors of the invasion.The paper detailedly analysed the source code, data structures and criticalvariables of Snort main modules and the organizational structure, source, functions,matching methods and update measures of identity files. With compilation options,Snort can support the Oracle Database Management System. Using the Oracledatabase technology and java technology, the paper expounded the process of thedevelopment of a security detection management platform based on Snort. The papermade various statistical analysis on the alarms database and analysed theiroptimization strategies. With combination of organizational structure of identity filesand the identities of proxy application, the paper gave rule records of it. The platformincludes statistical analysis of kinds of alarm information, release of attack sourceinformation on web pages, detection of IP embezzlement, control of IP embezzlementbased on ARP cheat, analysis of the rate of switch's CPU and flux of ports based onSNMP.The platform is based on the version 2.3.2 of Snort, by which the paper made atest on the core devices of campus network and the LAN where the servers locate.The system is expected to produce results which can be more accurate detection ofvarious behaviors of invasion.