| This paper analyzes the structure, function and operation principle in detail of Snort, which is the famous Intrusion Detection System. Snort is the IDS that a kind of Pattern Matching, and it identify the suspicious or hostile flow using the rules. The customized rule can self-define the characteristic of traffic, and enable Snort to adapt the network of specific structure. Snort catches the raw traffic packet passing the network depending upon libpcap. Libpcap can be transplanted to various kinds of common operating system, it makes Snort to be a intrusion detection system, which is being really independent of OS. Snort adopts the framework being making up of many flexible plug-ins, and it will easy to be expanded to carry out new functions and tasks. The preprocessor is just one kind of plug-ins of Snort, which deals with the traffic packet before which transfer to the detection engine. The preprocessor also makes great efforts to keep up with the constantly changeable exploits and attacks, for identify the new IDS avoided technology and Most preprocessor is added to Snort. Under the help of preprocessor, snort is capable of detecting not only from many attitude shellcode to IP fragment, but also the suspicious traffic without specific characteristic. Snort is really responsible for the tasks detecting characteristic. Once the rules to be load into the detection engine, are organized a three-dimentional tree-like structure. The tree-like structure can enhance the matching efficiency by minimize detection times. Snort can be configured many kinds of output plugins, so that it can easy to store and analyse the intrusion data. It is numerous to output plugins kind, and there are not only simple commas-separated,but also complicated relation databases, there is output format and export tool specially designed, which is used... |
PDF Full Text Request