Research And Implementation Of IPS Based On Snort In Windows System

In the development of the computer network technology process, with the increase of the netusers and high-speed data exchange and the mass data in network, the problem of network security has attack more and more attention. Due to the enhancement of the attacking technology and the diversification of the attack means, the traditional static network security technology has not been able to protect users, people urgently needs a dynamic depth protection system, therefore, this paper establish a dynamic defense system which based on the improved IDS.Firstly, this paper improves the detection algorithm of Snort. Matching algorithm waste more time in IDS and there are two kinds of matching algorithm, each algorithm has its advantages and disadvantages, People put forward various improved algorithm to improve the matching algorithm in the long-term research, this paper improve the BM algorithm by comparing the next character and jumping with two characters as a unit, therefore, improve the Snort through increase the sliding distance and reduce the matching times.This paper establishs a dynamic intrusion defense system which base on the improved Snort and use the linkage technology. This system work on Windows system and make a full use of the Snort open source to expend its plugins. Through adding keyword alert_ifw at the linkage plug which will send information to firewall this system complete the linkage between intrusion detection system and the firewall. At the firewall module, this system use the IPSec filters which build in the Windows system, the filter will block the IP address on the particular port for a certain time according to the message, therefore the host system will be protected effectively. In addition, there has rarely lingkage system based on windows system because of some technical limition, this system provides a new way to establish the linkage system and we can use the tools which in Windows system to calls for some commands to block address and port. At last, we test the system in simulation experiment environment and the results show that this system has a good performance on the matching rate, it can respond in real time when the intrusion activities were detected and the firewall can block the suspicious address, in a word, this system realizes the expected purpose.