Implementation Of Intrusion Prevention System Based On Snort

With the advances of information technology and the development of Internet, the network environment is becoming increasingly complex, new attack techniques appear constantly, the firewall and intrusion detection system has been unable to ensure the security of network. The research of intrusion prevention systems(IPS), which is composed with firewall systems and IDS is becoming popular in the field of network security. Firewall spontaneously block illegal intrusion according to set the relative rules, IDS can dynamically monitor network traffic and find illegal intrusion behavior and give the alarm in time. These two parts formulate the core and foundation of network security framework. IPS integrated the advantages of Firewall and IDS, which can not only ensure a deeply attack detection of network packets, but also timely block attacks. Therefore, more and more companies are transferring from IDS to IPS, with IPS technology integrated into the existing security products.This study realizes a kind of IPS based on Snort, which adopts non open source code and owns special engine module. The paper firstly studies the present status of IPS, and analyzes relevant theories of IPS from application of the principle, classification, advantages and disadvantages. Snort rules are emphatically introduced in this paper. Snort rules are emphatically introduced as the emphasis in detail. Meanwhile, in order to improve the detection efficiency of the message, this paper will adopts the BM algorithm and AC algorithm.This paper designs and realizes a prototype based on the Snort Intrusion Prevention System. In order to improve detection ability to deal with attacks, the system uses uniform detection engine to hand message processing. On this basis, this paper designs an intrusion prevention system and parses common command lines that H Company designed of intrusion prevention system. Then, we analyze the key technique of every block of the system and give the main design flow and programs. In addition, in order to make software unified process and subsequence business expansion convenient, Snort rules for parsing use TLV format.Finally, this paper uses Tcpreplay software tests the function and performance of IPS. From function and performance tests two aspects prove the validity and effectiveness of the system. In the function testing part, the correctness of the attack recognition can be verified by testing basic functions of IPS. In the performance test part, the efficiency of the design system is verified by comparing the performance of the intrusion prevention system.