The Research And Application Of Snort Intrusion Detection System Based On The Campus Network Environment

With the rapid development of the Internet, as well as the increasingly abundant network applications, the problem of Network Security appears to be more and more complex and serious. As a dynamic security equipment, Intrusion Detection System can safeguard information security automatically and real-timely. It is a new generation security guard succeeding traditional security protection measures such as firewall, identity authentication, data encryption and so on. It can detect the attacks not only from outsides but also the inner ones. AS one of powerful and light weight NIDS, Snort has good expansibility and transplantability, and can be used in various situations.Based on introducing Intrusion Detection System, the paper get through a deep research on Network Intrusion Detection System named Snort. Through analyzing modules of the Snort's architecture, working flow and rules, the paper points out the performance bottleneck of the Snort. Based on which the paper gives out the methods to improve snort's performance: First, the technology of the improved packet capture , which can improve the performance of packet capture by using Memory mapping , Zero Copy and Half Polling; Second, the technology of protocol flow analysis, which can improve the efficiency of attack detection by discarding the data flow from the protected server; Third, the technology of optimization rules, which can improve the speed of matching rules by creating efficient rule sets; Fourth, the technology of improving Pattern Matching Algorithms, which can greatly reduce the time of pattern matching. In the end, we give out an integrated model, and through theoretical analysis we proved the technology of protocol flow analysis can effectively reduced the processing time in general; and through experiment we test that the technology of optimization rules can greatly improve the detection performance; and compared with the classic Matching Algorithm-BM Algorithm, AC Algorithm and WM Algorithm, we got the conclusion that the WM Algorithm has better capabilities on reduce time and space cost.For the current security problems on Campus Network, such as ARP spoofing, forge DHCP, DHCP FLOOD and illegal PROXY. The paper makes a deep research on these problems based on study the Snort source code, the paper implemented the defense and detection of ARP spoofing by adding an ARP detection module; and solved the security problems of forge DHCP and illegal PROXY by writing new Snort rules; and implemented the detection of DHCP FLOOD attacks by design an specific Snort preprocessor plug-ins.The experimental result shows that it has achieved the good results about these above-mentioned network abnormal behaviors, based on expanding the function of Snort system.