| Intrusion Detection System(IDS) has played an important role in Information Security. as a kind of intrusion detection equipment. Improving the detection speed of IDS?reducing IDS false alarm rate and false negative rate have been the research focus in the field of Information Security.Snort is widely used and studied as a lightweight open source software. In this paper, based on the analysis of Snort's architecture, the performance has improved in space and time.The main work includes:Firstly,Optimize the architecture of Snort's rule sets. In order to make relatively few rules match the packet's characteristics, some rules have been deleted and others have been modified,using this detection method can reduce pattern matching's calculation and improve matching speed.Secondly,In order to reduce memory consumption when IDS runs, Snort's fast detection engine structure has been modifed by changing the connections between the source port's rule sets destination port's rule sets and the general rule sets, which can reduce the memory consumption,and meanwhile not reduce the performance.Finally. Put forward a new method of matching the packet's “http” characteristics:when the packet was being detected, only the packet's “IP”,“TCP” and “http”characteristics were matched. Using the new detection method, Snort can process more data at the same time. Furthermore, extract the packet's characteristics which are in the same “http session” and integrate them into a pseudo-packet, then detect the pseudo-packet only. when the packets are detected, Snort's false alarm rate and false negative rate can reduce.In this paper, we have tested Snort's performance before modified the Snort code and after modified the Snort code respectively using packets captured in the network environment. The testing results showed that Snort detection speed has been improved and the false alarm rate and false negative rate have decreased obviously after modified Snort detection engine structure. |
PDF Full Text Request