Snort Analysis And Applying Visually

With the development of the network, computer network security has being becoming an international issue. The global economic is damaged and losses amounting to tens of billions of dollars as a result of the global computer network security issues each year. Snort is a lightweight network intrusion detection system, which try to minimal impact on the normal operation of the network. It has an excellent lightweight NIDS which should have the features of cross-platform operation, the least impact on system, and allowing administrators to modify configure to response to real-time security event in a short period of time. As an open source network intrusion detection system, snort has a very good scalability and portability, and a important analysis target of research institutions and providers of network security. Snort has three modes: Sniffer, Packet Recorder, Network Intrusion Detection System. It has capacity of real-time traffic data analysis and loging the IP packet network .It can analysis protocols, searching and matching content. It can detect and alert a variety of attacks real-time.This paper has a more in-depth study on the overall structure of snort. When snort start up, it will read out all the attack rules line to line according to the information of profiles, and form a three-tier chain tree structure. And then capture packets using libpcap, decode them following TCP/IP protocols and store them in a structure named Packet. All the information of packets are included in the Packet. Then send packet to preprocessor to make some necessary pre-treatment, such as IP re-segmentation, TCP flow restructuring. Then transmite Packet to the detection engine, matching Packet to rule three-tier chain tree structure. If matching successfully, it will alarm. In this paper, the Snort detection of the whole process is divided into five modules: rules processing module, packet capture and decode modules, pre-processor module, the detection engine module, alarm and output module. For each module, the paper introduced the corresponding data structures, algorithms, function, and so on. The very important function is introduced in form of pseudo-code. Particularly, Detection engine modules are introduced on the most detail because it is the most important.Because of not strong visualization of snort, I make some improvements in adaptive, including modifying the source code of detection part, preparation of a scheduler program, Detector, which used to configure the parameters of snort, send out orders, receive and process information of snort.