The Research And Design Of Intrusion Detection Engine Based On Snort

With the rapid development of the Internet, people faced with the increasingly serious network security problems. Intrusion detection technique is the important guarantee technique of network security besides firewall. Snort is a powerful lightweight network IDS. It has the ability of real-time data traffic analysis and recording of IP network data packets. It can be able to process protocol analysis, search or match the content. Snort can also detect a variety of attacks, and then give a real-time alarm. Furthermore, Snort has good expansibility and portability. The detection engine is the core module of the Intrusion Detection System.First of all, the thesis outlined the Intrusion Detection System. It introduced the system and its components, workflow, architecture, commonly used means of invasion and intrusion detection system on the status quo. Contemporary challenges and trends are discussed about IDS.Secondly , the thesis parsed the Snort architecture, working flow and three-dimensional linked list, especially analyzed the detection engine of the Snort system. And then, this paper analysed several classic matching algorithms and their capability, including BM algorithm, AC algorithm, WM algorithm. It analysed the theory of MWM algorithm, which is Snort default multi-Pattern matching algorithm, analysed the complexity of space-time algorithm and compared the performance of the algorithm of time and space.Finally, in order to meet the need of the increasing network traffic and speed , the intrusion detection engine of Snort is improved. On the basis of the initial rule linked list, the data structure is reconstructed to use for rapid matching. And then two kinds of latest detection engines were analyzed that realized in Snort2.0 and improved detection engine. Experimental results show that improved detection engine is better than the detection engine in Snort2.0 in the aspect of speed and memory consumption when the existing rules increased to more than 400. The improved detection engine opened a new way to design the intrusion detection engine, but it requires continuous improvement.