Design And Implementation Of Intrusion Prevention System Based On Snort

With the rapid development of network technology, network environment is changing with each passing day. The network provides the public with an increasing number of services, thus people rely more on the network. As the correspondence of network technology, hacker technology is also experiencing a rapid development. However, with the expansion of network, number of users attacked is constantly growing. Not only ordinary users, more and more hackers are targeting government agencies, community groups and even national military confidential documents. So the development of network security draws more people's attention. Governments put a lot of manpower and capital in this in order to safeguard their network security so that their confidential files can be in a safe environment.H3C, with the main business of providing the appropriate equipment for building network for various universities and enterprises, has also made the corresponding requirements for its products in terms of the function of the network security under the current network environment. Therefore, the company decided to develop its own Intrusion Prevention System(IPS). Without previous design, the main problems that will be faced with are as follows:1. The existing IPS products are not compatible with the company's products and can not be used directly, so transplantation is needed;2. Most of the existing IPS are working in application layer, so they have relatively low efficiency, so improvement is needed;3. Internal algorithm of IPS has low efficiency, which needs to be improved;In order to solve the problems above, with the understanding of development status of IPS both at home and abroad, the author designed a Snort-based IPS on the product demand of H3 C. The design has mainly completed the following three aspects:1. After researching the development of IPS, we selected Snort system to be transplanted. This is an Intrusion Detection System(IDS), the foundation and a core part of the IPS. Snort is the most widely used IDS system in the world with characters of high efficiency, flexibility and simplicity. As an open source system, using the system for transplantation can also reduce development cost.2. In order to improve the efficiency of IPS and meet the needs of the company's products, Snort system has been improved : modified from the original user level to the kernel level, therefore some modules have been modified, and new modules added.3. As for the problem of low efficiency of internal algorithm, this paper introduced multi-pattern matching algorithm, which can judge if a string contains several other strings only compared once, greatly improving the efficiency of packets comparison.Based on the demand analysis of Snort-based IPS, the thesis illustrates each function point the system needs to be achieved. Then for each function point, the author carried out module partition and design for IPS under Snort system, and programmed various modules. Finally, the author set up the environment for testing functionality, and modified the error in the test to ensure that the final system can achieve all the functions in demand.