Research Of Snort-based Intrusion Detection System

Recently, intrusion detection not only become the research focus of network security, but also have broad market foreground. The technology of information security has changed from passive to active recovery. The main security architecture model such as firewall can't satisfy the requirement of network security, so the technology of intrusion detection has grasped the attention of people. Been recognized as a supplement of firewall at large, intrusion detection expands administrators' ability of security management, which include security audit, surveillance, attack recognize and response. The supplement of intrusion detection can resolve the problem of evidence reservation.Along with the rapid improvement of Internet, the bandwidth of network becomes wider and wider, the speed of network becomes faster and faster than before, it is needed to improve the detection efficiency for intrusion detection system. However, the basic to enhance the system's efficiency is to improve and optimize the Detection Engine which is the core of the intrusion detection system.Snort is one powerful lightweight network IDS. It has the ability of real-time data analyzing and recording IP network data packets, and it can be able to process protocol analyzing, definite content searching or matching. Snort also can detect many different attack ways, and then give a real-time alarm. Furthermore, Snort has good expansibility and transplantability.In this paper, the architecture of Snort, working flow and three-dimensional linked list are described at first, and then the Detection Engine of the Snort and the Detection Engine's pattern matching algorithms are especially analyzed. Because of the shortcomings of the original pattern matching algorithms the Snort used, a new improved algorithm is chosen to improve the Snort's Detection Engine, and then it is applied into the Snort's Detection Engine. From the results of several experiments, it is proved that the new improved algorithm is efficient; moreover the speed of the improved Detection Engine is faster than the original system's. In succession, the advantage and disadvantage of the newly implemented system as well as the suggestion of further improvement are given.At last, the application of snort in distributed network environment is studied. Some detection nodes of snort are set on these nodes management interface is developed to realize convenient distributed detection and centralized management, on the other hand, the burden of the Detection Engine can be alleviated consumedly, and then the adaptability of snort to high bandwidth network is improved.