Study On The Improvement Of Snort In The Transition Network Of IPv4/IPv6

With the rapid development of the Internet, computer network has been a very important part of the modern society, and the network security is facing more and more challenge. Intrusion detection system has been one of the focus in the network security research area in recent years, it moniters the running state of the system or the network, detects every intruding attempt, intruding procedure or the happened intrusion, it breaks through the firewall's limitations, becomes another defending line behind firewall.As the next generation Internet protocol, IPv6 not only solves the problem that the IPv4 address will exhaust soon, but also it has better routing performance, quality of service, and security than IPv4. Internet will be upgraded to IPv6 ultimately, because for the IPSec, IPv6 is securer than IPv4, but IPv6 has't sloved the following security problem entirely:(1) Many Operating Systems has bugs in the IPv6 protocol stack; (2) many attacks that don't work on the IP protocol can be migrated to IPv6; (3) the dual-stack and the tunnel transition mechanisms may bring new dangers and misusage possibilities; (4) IPv6 protocol brings many variations and new features, some of which may potentially cause security problems.Traditional IDS systems are currently limited by IPv4, they can't support IPv6 and the IPv4/IPv6 transition network environment. The research on IDS with IPv6 support is just beginning.Snort is a famous open source intrusion detection system, in this dissertation, the principle and the architecture of snort are analyzed, and the three main parts of snort: packet decoder, preprocessor and the rules are improved to support IPv6, make the snort can run in both IPv4 and IPv6. Then the snort detecting performance is improved by modifying the rules organization to reduce the rules number that a packet needs to match, and by adjusting the rule option order to make normal packets matching faster.Neighbor discovery protocol is a new mechanism in IPv6, in this dissertation, the security about the NDP protocol is analyzed, some threats by misusage of NDP protocol is proved, and a preprocessor is implemented to detect this type of attack behavior.The experimental results indicate that the improved snort system not only can run in both IPv4 and IPv6, but also can detect some new threats by misuage of new mechanisms in IPv6.