Research And Implementation Of Network Traffic Monitoring System Based On Snort

In recent years, with the rapid development of Internet technology and applications, the network intrusion events have also increased dramatically, making the network security more and more severe and complicated, so the network security technology is facing serious challenges which the traditional data encryption, vulnerability scanning, firewall and other network security technology is incapable to cope with. Intrusion detection system is the rational supplement of the firewall. Without affecting the network performance, it conducts the real time monitoring of network transmission and send alarms or take active response measures in case of suspicious transmission and protects the network from internal attacks, external attacks and misuse. Snort is the main tool of the current intrusion detection systems and has been widely installed and used.This thesis provides an overview of network monitoring technology and its classification, analyzing the existing intrusion detection technologies, introducing the intrusion detection system and making a introduction of several common intrusion detection systems including snort. On this basis, the thesis studied the snort system characteristics and the architecture in detail, such as system plugin mechanism, detection engine and so on.Based on Snort preprocessor Stream5, this thesis designed and implemented the flow statistical characteristics extraction module and lay a foundation for anomaly detection based on flow statistical characteristics, resolving the problems that snort cannot detect the encrypted message and cannot adapt to the high-speed link based on pattern matching detection mechanism. Next, in order to overcome the shortcoming that snort produce mass logs and alarm information which are inconvenient for analysis, this thesis presents the design and implementation of alarmed traffic classification and statistic module, the module not only makes output path and classification of the alarm information configurable and increases packets number and bytes number statistical information, but also design and implement a preprocessor which is used as a timer to report the alarmed traffic periodically, which helps users to specify a certain criteria to classify the alarm information and monitor the alarmed traffic in different periods. Finally, this thesis not only modify the output plug-in module defects but also introduce network application signature into the snort rules, and mark the signature both on the signature-matched packet and others of its connections. The module not only expands the traffic monitoring category of snort, but also contributes to application signature study and traffic analysis.