Research And Performance Improvement On Snort Intrusion Detection System

With the rapid development in the technology of computer and the network technology, the security problem in network is increasingly outstanding. But the traditional Encryption and Firewall techniques can't fully meet the expectations. As one of new methods, the Intrusion Detection System (IDS) plays an important role in network security today. With its characteristic, IDS should contribute more to the information security.Snort is a free,open-source,'lightweight" Network-based Intrusion Detection System (NIDS) that has many capabilities. By studying Snort's characteristics and implementation techniques, the people can learn about IDS's knowledge and Snort's advantage so that they can do something for IDS and Snort. Studying Snort is of academic significance and commercial value.In this thesis, the author looks into the Snort's code, analyzes the global architecture, multi-rule inspection engine of Snort, the fast detection engine, and the algorithms of Snort string matching.In the following we can obtain the key technology of improving Snort performance by studying pattern matching.After the analysis of new characteristics and several improvement methods of snort rule matching, and by considering of which only a small part of rules in massive snort rules are active in certain time period, a new snort rule matching method based on active rule sets is proposed in this paper. By dividing rule sets under the each port into the active rule sets and the inactive rule sets, combining with feedback of the rule matching frequency, rule matching order is renewed in real time and the size of active rule sets are limited, so the rule matching speed can be improved. According the method proposed, we have improved the rule matching algorithm for snort 2.4, and test the improved system using International standardized intrusion detection sample data from MIT Lincon Lab. The contrast result of the test show efficiency of the new system is enhanced for 6%～21%._At the end, this article has pointed out the further work of Snort match performance improvement, and explained the prospect of Snort and IDS technology.