The Design And Implementation Of The High-Speed Network IDS Based On Snort

Nowadays, the network plays a more and more important role in people’s life. Network brings people convenience, at the same time its security problem is becoming more and more important. In the traditional network security solution, the firewall tools play an important role. But firewall can’t resist attacks from within the network. In this case, the intrusion detection system appears. It can provide further security protection to the network on the basis of the firewall and has become a hot research topic in the field of network security. High-speed network environment challenges the processing ability and analysis ability of the intrusion detection system. Snort, as a typical open source network intrusion detection system, has been widely used all over the world. Based on this, this paper chooses the Snort-based high-speed network intrusion detection system as the research direction.This paper first analyze the IDS which is the theory basis of this project. Intrusion detection refers to the techniques and methods that are used to detect suspicious activity both at the network and host systems. Intruders’signatures, like computer viruses, can be detected using software. The data packets containing any known intrusion-related signatures or anomalies related to Internet protocols can be detected. Based on a set of signatures and rules, the detection system is able to find and log suspicious activities and generate alerts. Anomaly-based intrusion detection usually depends on the anomalies present in protocol header parts.In some cases these methods produce better results compared to signature-based IDS. Usually an intrusion detection system captures data from the network and applies its rules to that data or detects anomalies in it.I propose the overall design of the high-speed network IDS based on Snort. To fit the high speed network environment, we improved the Snort data capturing module, using PFRING technology to realize the high speed of data packet capturing, opening the multiple Snort processes to achieve the high-speed processing of data packets. Another important work we have done is the design and implementation of the Snort analyzing and querying system which can conveniently display the alert data, realizing the visual display of the data. It mainly includes inquiry module, paragraphing module, statistic module and the alert grouping module.In the chapter of the design and implementation of the capture module, I first analyze the related technology of the improvement of the capture module, then I introduce the PF_RING technology, the API of PFRING and the inner working procedure of PF_RING. We use the PF_RING technology to realize the high-speed capture. The I introduce the installation and configuration and the test of PF_RING+SNORT. In the chapter of the design and implementation of the Intrusion Detection Inquiry and Analysis System module, I first develop the overall design, the detailed design and the database design of the Intrusion Detection Inquiry and Analysis System. Then I introduce its main web pages, including the design of the front page,the creation of the alert group, the inquiry module and the module of creating the graphs. Then I introduce the installation and configuration of the Intrusion Detection Inquiry and Analysis System. In the end of this chapter, I introduce the test of the Intrusion Detection Inquiry and Analysis System. Now the system has been deployed on ShanDong University’s server and run for more than one year, having more than 80 thousands items of alerts and showing a comparatively good effect.