Research On Network Intrusion Prevention System Based On Snort

With the increasing number of computer networks and development of network attack technology, the new attack after another, the traditional security technologies have their own shortcoming, and could not to ensure good network security. Firewall technology is a passive, static detection technology, it can not detect the attacks within the network, and intrusion detection technology can only detect known attacks, but can do nothing to the unknown attacks. IPS (Intrusion Prevention System, PS) is a network security technology, which remedy the shortages of firewall technology and intrusion detection system from network security technology.Intrusion prevention system is a positive, proactive security defense tool, when the intrusion prevention system detects the attacks, attack packets can be automatically discarded or block attack sources, which can protect the host or network real-time from damaging. But the existing detection algorithm which use built-in intrusion prevention system is not perfect, make the system a high rate of false positive and false negative rate, so this article is designed to use the support vector machines (Support Vector Machines, SVM) applied to the Snort After the Linux firewall, intrusion detection and intrusion prevention capabilities to achieve the linkage, to solute the existing lack of intrusion defense system.This article design the Network Intrusion Prevention System which using Intrusion Detection System Snort_inline and Netfilter configured iptables firewall interaction. When Snort_inline and firewall communication, Snort_inline work in user space, iptables configured Netfilter firewall configuration interaction work in kernel space, we need to spread data packets from kernel space to user space for intrusion detection. If all packets of the kernel space are copied to user space, processing speed will be reduced, at the same time will also affect system performance. This can be improved:As iptables configured Netfilter packet filtering firewall has the function of the packet filtering,the legitimate traffic which the firewall can be determined directly can directly through the intrusion detection module, the illegal traffic would directly discarded. Firewall may pass packets which need to detect to the intrusion detection module, which can increase data processing speed. Because of the high rate of Snort false positives and false negative view of the relatively defects, misuse detection techniques for the current problems, improved the Snort intrusion detection module, improved by adding the classification of support vector machine learning function, training learning through the data, reduced System false alarm rate and improve the detection accuracy of the system, made the system has good generalization ability.This article is designed Snort network intrusion prevention system based on modular design, the system has good interactivity and scalability.