A Research On Intrusion Detection System Based On Snort Rules Optimization

As a kind of proactive and safe prevention technique, intrusion detection provides a real-time protection for internal attack, external attack, and misoperation, responding the invasion when network system suffering threat. Intrusion detection technology becomes an advantageous complement for firewall. Many experts have paid close attention to this field. Snort is an intrusion detection system which is the most widely used and free-code; it is the representative of misuse detection system which is also rule-based. To the rule-based intrusion detection system, how to match the rules quickly in the large rule base and respond in time becomes the research emphasis.In this paper, for the purpose of reducing the computing cost and increasing the efficiency of rule-matching, we design an intrusion detection system based on the researches of Snort combined with protocol analysis technology. Firstly, we make analysis about the structure and limitations of Snort rule base which is divided into the rules according to ports, and bring in a local port access authority management policy combined protocol analysis technology. Local port access authority management policy offers information of source IP addresses and ports which are allowed to access the local application layer service ports. We set access authority for local ports, which allowed specific source IP address and port to access. Before rule-matching, we need to check up the port access authority and discover unauthorized access in time. The local port access authority management policy not only has an effective management on access violation, but also can accelerate the rule-matching because we separate illegal access rules from rule base. In the design system, each application layer protocol has its own rule base, rule description, and rule processor based on its characteristics. Based on different characteristics of every application layer protocol, we classify the rules of Snort rule option according to characteristic keywords. On the research of FTP protocol, we classify the rule options according to keywords which are based on the type of command. In this way, it contributes to reducing the computing cost of rule-matching which is irrelevant of command. Though by weighting the keywords of rules and commands, we sort the rule base in a real time and it also does a help to rate of matching.We design a system model based on the method above which is made up of data protocol analysis module, local ports management policy module, rules base module, log module. We describe and organize the rules by XML. Because of the huge study work load if we do researches on all kinds of protocol, in this paper, we only take the FTP rules of Snort for example. The rules are divided into 34 kinds of commands. We also realize the system function, organize the experiment, and prove the feasibility and effectiveness through experiments.