Improved Snort Intrusion Detection System Using Modified Pattern Matching Technique

Transcription

1 Improved Snort Intrusion Detection System Using Modified Pattern Matching Technique Chintan C. Kacha 1, Kirtee A. Shevade 2, Dr. Kuldeep S. Raghuwanshi 3 1 Department of Computer Science, Oriental College of Technology, Bhopal, India. 2 Asst. Professor, Department of Computer Science, Oriental College of Tehnology, Bhopal, India. 3 Asst. Professor, Ph.D., M.Tech, B.E, Department of Computer Science Oriental College of Technology, Bhopal, India. Abstract As the number of network attacks rise, the need for security measures such as Intrusion Detection Systems (IDS) is essential. IDS s are considered useful especially when new community hacking tools are emerging. Intrusion detection system identifies problems with security policies, documenting existing threats and detects individuals that violate the security policy. Due to the limitations of the firewall and Intrusion Detection System in the information security domain Intrusion Prevention System (IPS) appeared. It is a new generation information security technology following the firewall and intrusion detection technique. It is also secure project that protects the network and system in real-time from attacking and now becomes a hotspot of research in network security domain. This work introduces a novel IDS packet matching technique that provides faster packet inspections with less consumption of RAM and Processor. The Improved Snort IDS uses a new pattern matching algorithm and makes use of modified Snort signatures which utilizes minimum amount of CPU and memory. The experimental results show that the proposed technique has outperformed in comparison to other Network Intrusion Detection Systems (NIDS). Keywords IDS; NIDS; IPS; Snort; Improved Snort I. INTRODUCTION The last few years the amount of malicious traffic on internet have increased enormously, [14] in a way that should be looked into with concern. Malicious traffic can cause loss or harm of data on computers, and loss of sensitive information is something that occasionally happens. Companies spend billions of dollars on computer security each year, but still computers get infected or compromised by malicious traffic. Unaware employees, hackers, organized cyber criminals and unknown vulnerabilities are different reasons to why systems get compromised. Large companies and governmental organizations need the best tools available to prevent intrusions, since their companies are more exposed to malicious traffic. The best firewalls, antivirus, intrusion prevention systems and other security tools available are expensive. Large companies can afford these tools, but what about smaller companies? They do not have the same economy, and not the same need of the best and most expensive computer security tools. One common rule company s use about security is that the amount of money spent on security should not be higher than the cost of loss of data or compromised computers. This is something companies should find out before investing in security tools. Normally large and governmental companies have more important information to protect than smaller companies have, and therefore they need to invest in the best security tools available. Smaller companies do not have the same need, and should they invest the same amount of money in security tools? In most cases they don t have the same need, and therefore is open source an area that should be interesting these kinds of companies. The open source community has some advantages compared to payment solutions, where one of the advantages is the available source code. People using open source software can collaborate and contribute with own results and experiences to help each other to solve problems and for improvement. When buying a firewall, an intrusion detection system or an intrusion prevention system, one often get a preconfigured box which are set up in the network and left there. By using open source security tools, one can interact with other open source users, search for solutions, and get much more information. An intrusion detection system (IDS) is a well known security tool used by companies to prevent loss and harm of data. Companies such as Palo Alto and Sourcefire are two of the leading companies in this business. Palo Alto has only got a payment solution while Sourcefire has both a payment solution and a open source solution, the Snort IDS. In addition to Snort, there exist two other known open source intrusion detection systems, Bro and Suricata. Snort and Bro have existed since 1998, while Suricata s first stable version was released in July An open source intrusion detection system is a good option for companies and organizations which do not have the same amount of money as the larger companies and governmental organizations have. When choosing open source intrusion detection system, one should have some knowledge about how to set them up, how to use them, and how to respond to the different alarms they create when running them in the network. It is difficult to know which intrusion detection system to choose without any previous knowledge. 81

2 The remainder of the paper is organized as follows. Section 2 introduces intrusion detection systems under evaluation. Section 3 presents the proposed algorithm to improve the efficiency. Section 4 presents the study of performance analysis of Snort and Improved Snort and conclusions are drawn in section 5. II. INTRUSION DETECTION SYSTEMS Intrusion Detection Systems fall into two categories, Network based intrusion detection systems (NIDS) and Host based intrusion detection systems (HIDS). Network Intrusion detection systems operate by analyzing network traffic whereas Host based systems analyzes operating system audit trails. Within these two, their method of detection are categorized based upon two criteria, anomaly or pattern detection. Systems based upon anomaly detection build a profile of what can be considered normal usage patterns over a period of time and trigger alarms should anything deviate from this behavior. Within this type of detection lies a subsection which is based on protocol standards. Pattern detection identifies intrusions based upon known intrusion techniques and trigger alarms should be detected [2]. Intrusion detection systems have enhanced network security much more by checking payload and header in a data packet. To prevent network attacks intrusion detection system (IDS) has been widely deployed. An intrusion detection system can either be a device or a software application. Intrusion detection system focuses on detecting intrusions, logging information about them, and reports them to system administrator. As well, organizations use intrusion detection system to identify problems with security policies, documenting existing threats and detect individuals that violate the security policy. According to detection strategy, there are two types of intrusion detection: Mis-Use Based Intrusion Detection and Anomaly Based Intrusion Detection a) Mis-Use Based Intrusion Detection Mis-use based detection is named knowledge-based detection too. Knowledge based detection is equipped with a database that contains a number of signatures about known attacks. The audit data collected by the IDS is compared with the content of the database and, if a match is found, an alert is generated. Events that do not match any of the attack models are considered as a part of legitimate activities. The main advantage of misuse-based systems is that they usually produce very few false positives. But this approach has drawbacks. It cannot detect previously unknown attacks and sometimes it even cannot detect the variations of known attacks. b) Anomaly-based Intrusion Detection Anomaly-based detection is a behavior-based detection method. It is based on the assumption that all anomalous activities are malicious and all the attacks are subset of anomaly activities. By building a model of the normal behavior of the system, then it looks for anomalous activities that do not conform to the established model. Since it can detect unknown attacks, it is the research hotspot at present. However, since it is impossible to describe all the activities of all users in system, it leads to relative high false positive rate. Most of current IDSs use one of the two detection methods. There are two main types of intrusion detection system (IDS): 1) Network Intrusion Detection System (NIDS) and 2) Host Based Intrusion Detection System (HIDS) 1) Network Intrusion Detection System (NIDS) The NIDS is an independent platform that examines network traffic and monitoring multiple hosts to identify malicious activity. The usual way to set up a NIDS is by connecting it to a network hub, network switch configured for port mirroring, or network tap [14]. Sensors are placed at choke points in the network to be monitored, often in the demilitarized zone or at network borders. The sensors capture all network traffic and analyze the content of each packet for malicious content. 2) Host Based Intrusion Detection System (HIDS) A host based IDS is placed on a host, where it detect intrusions by analyzing system calls, applications logs, file-system modifications, and other host activities and state. The sensors usually consist of a software agent. There are two different techniques an IDS uses to detect malicious traffic / activity: a) Statistical anomaly based IDS Statistical anomaly based IDS set up a baseline of what kind of traffic is seemed as normal. By looking at the bandwidth use, what protocols are used, what kind of ports and devices that are generally connected to each other, one can make a baseline of this, and when sample of traffic is outside this baseline, an alert will be created and send to the administrator. b) Signature based IDS The signature based IDS monitors the network and comparing the packets against preset signatures; which is signatures of known attacks. When the signature based IDS detect packets or traffic that match some of the signatures in the database, it will create an alarm about that malicious traffic and report to administrator. 82

3 The problem with signature based IDS, is that it cannot detect malicious traffic where no signature has been made yet, but the statistical anomaly based IDS will be able to detect this. A. Snort Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS), created by Martin Roesch in Snort's open source network based intrusion detection system (NIDS) has the ability to perform real time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching.[15] The program can also be used to detect probes or attacks including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. Snort tool is open source ID software which runs on Windows or Linux operating systems. Being free and having complete set of capabilities and the possibility to be installed on different machine and operating systems caused that SNORT be popular in ID systems in computer networks. SNORT in complete version is a kind of Network Intrusion Detection System (NIDS). This software is configurable in three modes: sniffer mode, packet recording mode and ID system. In sniffer mode, as its name indicates, SNORT is just a simple sniffer and displaying the content of transmitted packet within network. In recording mode, SNORT stores data of packets in a specified file. In ID mode, SNORT searches and analyzes packet based on two previous modes and determined rules. After ID, required actions are taken. In ID mode, we can determine set of rules as criteria for detecting invading programs. SNORT checks network traffic based on a characteristic database of invading programs. For example someone can adjust SNORT by a rule to make a warning message or to take proper action whenever an access in a defined protocol from/to a specific port and from/to specific destination with a content containing a specific string happens. Each rule of SNORT has two parts: header and content of data packet. In the rule header, protocol type, IP address and source and destination port numbers of invading packet is located. Content part contains a string pattern in ASCII, Hex format or combination of two formats. In SNORT rule, Hex part is embraced between two sign. A sample SNORT rule is shown in Fig. 1. alert tcp any any -> /32 111(content: "idc 3a3b "; msg: "mountd access";) Figure 1. Sample of a SNORT rule This rule is due to an invading program that is within a TCP protocol and its source has unknown IP address and port number. 83 The IP address of destination is and its port number is 111. Many of packets in the network have these attributes. Therefore to identify packets of an invader program, data packet content should contain pattern idc 3a3b. This pattern includes characters c, d and i and bytes 3a and 3b [15]. Snort in complete version is a kind of Network Intrusion Detection System (NIDS). This software is configured in three modes: sniffer mode, packet recording mode and intrusion detection system. Snort depends on a pattern matching and makes content analysis. Each rule of Snort has two parts: header and content of data packet. In the rule header, protocol type, IP address and source and destination port numbers of invading packet is located. Content part contains a string pattern in ASCII, Hex format or combination of two formats. Users can add new rules according to its own demands or build their own rule database. The header is to define an action, but the content of data packet is to completely describe the characteristics of a data packet. Thus, rules matching engine can handle at a high and effective speed. Snort rules can make classification according to technology type, attack type, threat types, it also define the priority, so it can further improve the rules matching efficiency. Snort is a packet sniffer based on wireshark, and it can be used as a lightweight network intrusion detection system. It can monitor network traffic in real time, analyze protocol for each packet and match intrusion feature, which detect dangerous or suspicious behavior. Snort-inline is a tool to modify the Snort. Snort inline has three changes on Snort: the manner of get network packet, the process of analyze packet and the response mode of feedback packet. B. Snort Modes Snort can operate in three different modes namely tap (passive), inline, and inline test. Snort policies can be configured in these three modes too. Explanation of Modes[15] Inline When Snort is in Inline mode, it acts as an IPS allowing drop rules to trigger. Snort can be configured to run in inline mode using the command line argument Q and snort config option policy mode as follows: snort Q config policy_mode:inline Passive When Snort is in Passive mode, it acts as an IDS. Drop rules are not loaded (without treat drop as alert). Snort can be configured to passive mode using the snort config option policy mode as follows: config policy_mode:tap

4 Inline Test Inline Test mode simulates the inline mode of snort, allowing evaluation of inline behavior without affecting traffic. The drop rules will be loaded and will be triggered as a Wdrop (Would Drop) alert. Snort can be configured to run in inline-test mode using the command line option (enable inline test) or using the snort config optionpolicy mode as follows: snort enable inline-test config policy_mode:inline_test 29 C. Aho-Corosick Algorithm Aho-Corasick [6] is an exact pattern matching algorithm; it finds it applications in many areas especially in intrusion detection systems. Snort by default makes use of a variant of Aho-Corasick algorithm for doing the pattern matching with the snort rules. The main concept behind this algorithm is the automata creation. It constructs the automata for the input file and when a new pattern has to be matched then it will traverse through the automata and finds the matched position. The automata construction can be either deterministic finite automaton (DFA) or nondeterministic finite automaton (NFA). DFA and NFA have advantages and disadvantages on its own. While DFA occupies more memory, NFA will not. When decisions can be made based on approximate results then NFA can be the best fit as there are multiple transitions from one state to another resulting in multiple final states. But when exact string matching is required then DFA is the chosen method as there is always only one transition from one state to another. Aho-Corasick algorithm was implemented in Improved Snort using the C library Multifast [11] which will perform multi-pattern matching. The main advantage of using this library is that multiple patterns can be searched through the automata. Improved Snort integrated this concept of multi pattern matching for intrusion detection. The library constructs the automata for the rule files generated based on the protocol type. In this case, automata are constructed for the content portion of the Snort rules which was extracted by means of pre-processing. This automation construction will be initialized only once. The same concept goes for the Snort also where the automaton creation will be there for the entire Snort rules occupying more memory in so many MBs and thereby resulting in a vast amount of states and transitions. So it will take more time to do the transition. This library will construct DFA for the incoming files. This library was modified in order to show additional details about the matched pattern like the start and the ending position of the matched string, the string length and so on. The Aho-Corasick algorithm runs with a time complexity of O(m+n) in which m is length of the pattern and n is the length of the text. D. Limitations of Snort Snort is an open source intrusion detection system which is based on the misuse detection technique. Its decision making is backed by a set of predefined rules called the snort rules which are easily downloadable from the internet. Snort makes use of many predefined algorithms for pattern matching namely Aho-Corasick, Horsepool and the combination of these algorithms too. As part of its start up script snort initializes the predefined rule sets automatically. As and when the packets make its way to the network they are matched against these rules. If a pattern match is detected then the packet is flagged as anomalous and is logged into the directory which is specified during the runtime. The snort rule can be divided into two main parts namely the header and the options. The header portion of the rule mainly consists of the source and the destination port, protocol and the action to be taken. The option portion contains additional fields in the packets namely in the flags, content, URL, depth to which the packet has to be traversed, the ICMP type, references, the snort id, the attack type, the message to be displayed if ever an attack is detected etc. Some of the prominent drawbacks of snort are listed below: Adding additional snort instances and modifying snort configurations can lead to mistake magnification. So experienced users only can use it. Snort cannot detect UDP and TCP flooding attacks; it can only detect ICMP flooding attacks. When snort is in its active detection mode it will utilize 100% CPU and will slow down the performance of the system to a greater extent. In snort, graphical interface is not there by default and can be achieved only by adding extra plug-ins. By default snort will not provide any anomaly detection and is purely a misuse based system. Extra plug-in is required. While handling the normal traffic snort will process the packets at a slow phase. During a DoS and DDoS attack snort throughput increases drastically, but will drop large number of packet. When the number of rules increases, memory utilization also increases and hence will take longer to initialize all the rules. Snort checks each and every field specified in the rule and creates RTN, OTN for all the fields in the rule. Therefore it will decrease the processing throughput by performing several unnecessary comparisons with all the fields in the rule. Snort is capable of detecting flooding attacks by default. If snort needs to be configured to detect other modes of attacks then the configuration file have to be changed which indeed is a tedious task. 84

5 Snort is purely an intrusion detection system and is not an intrusion prevention system. Snort will start to drop the packets at a massive rate when the incoming packet rate is more. Therefore possibilities of detecting possible attack patterns are more since it fails to analyze those dropped packets. I. Proposed Algorithm of Improved Snort Improved Snort was mainly developed to plug some of the above mentioned soft spots. Prime focus was in bringing about substantial improvement in performance over Snort IDS in terms of its CPU and Memory Utilization and also in reducing the latency induced to the streaming data packets despite being sniffed for malicious activities on the fly. From the drawbacks of Snort it is clear that it is purely an IDS and if need to be IPS enabled then additional plug-ins is required. But Improved Snort does both detection and prevention tasks. Also in this approach, integration of both the misuse and the anomaly detection methods was done to trim down the number of false alarms to a greater extent. For implementing the misuse based detection system in Improved Snort the default Snort rules were modified. In case of Snort the rule tree structure (automata) will be constructed for both the header and the options portion. But in case of Improved Snort the finite automata construction for the deader portion is completely avoided and the automaton is constructed for the options portion alone. This is further sliced thin by constructing the automata only for the content portion of the predefined rule set. Initial pre-processing is done b grouping the rules based on the protocols and storing them separately in four different files for TCP,UDP,ICMP and IP respectively. As a packet is intercepted by Improved Snort,it extracts the protocol field from the packet s header. Packets are then redirected to the file that contains the rules pertaining to the protocol to which the packet is associated to. But in case of Snort such pre-processing measures are not performed and hence the packet will be compared against all the rules irrespective of its protocol. This will increase the number of searches needed inducing increased latency to the packet. Improved Snort reduces the number of searches considerably by confining the searches with the protocol to which the packet is associated to. A network intrusion attempt can be easily detected in most cases by checking the content field in the packet alone rather than checking for all the fields in the packet. So the pattern matching algorithm can be applied for matching the content portion of the incoming packets with the content portion of the predefined rules. Further sub-grouping of rules, based on ports can be done in order to condense the count of searches to a greater extent. 85 II. In Improved Snort automata that are built for the rule matching is created by using only the content portion of the rules alone where as in Snort automata is built by considering every attribute present in the rule. This results in a much deeper tree structure requiring more processing power and memory in order to compare the rules and for in-memory storage of the automata respectively, thereby resulting in an increased search time, CPU and memory usage. Increased search time will directly result in an increased latency being induced onto the network packets resulting in the network under performing. Packets with these intrusive patterns will then be captured and analyzed using Improved Snort. Performance Analysis of Snort and Improved Snort The comparative analysis between Improved Snort and Snort were performed over Ubuntu with the following system specifications: dual core processor 2 nd generation 2 GB RAM with 500 GB internal hard disk. Improved Snort was tested against Snort with rules whereas the default rules were retained for Snort. Figure.2 Table 1 Sr.No. Improved Snort Snort Data in Mbs

6 Fig.2 shows the percentage of CPU utilized by Improved Snort and Snort. Also in Table.1 the data for the respective results are mentioned from which conclusions are drawn. Clearly it is evident from the graph that as the number of rules increases the CPU utilized is also increased. In case of Improved Snort it keeps in par with Snort till about rules but from thereon it will continue to consume only 50% of the CPU. Snort on the other hand tend to grab 100% of the CPU cycles once the number of rules exceeds leaving the system with no more room to perform other jobs. In case of Snort, with time in the increase, the throughput seems to be in the decrease, indicating severe latency being inducted to the network packet flow. Snort will process more packets only when attacks like DoS and DDoS are attempted onto the system. At the same time Snort will start to drop the packets at a massive rate during these flooding attacks. With Improved Snort on guard, the throughput is in par with a network where there are no IDS/IPS systems are operational. Improved Snort will process all the packets which it receives without much packet loss preserving high throughput, the response time of Improved Snort for performing pattern matching. Intrusive patterns were generated in order to match the first and the last rule using the Wireshark tool and the time taken for doing the pattern matching was calculated. Pattern matching is faster in case of Improved Snort when compared to Snort, as Improved Snort does pre-processing of the rules and also by reducing the number of searches by doing the protocol based grouping as mentioned above in the previous sections which increases the performance in terms of memory utilization and CPU speed to a greater extent. Figure.3 Table 2 Sr.No. Improved Snort Snort Data in Kbs The fig.3 shows the throughput achieved by Improved Snort and Snort. Also in Table.2 the data for the respective results are mentioned from which conclusions are drawn. 86 Figure.4 Table 3 Sr.No. Improved Snort Snort Data in Mbs

7 Fig.4 shows the comparison between Snort and Improved Snort in terms of memory consumption when the full rule base in used. Also in Table.3 the data for the respective results are mentioned from which conclusions are drawn. Improved Snort will occupy lesser MBs irrespective of the number of rules being used because automata is constructed only for the content portion of the Snort rules alone and all other portions in the Snort rules namely the rule header and other fields in the rule options are neglected. But in case of Snort when the number of rules increases memory utilized also increases and it will be around 2-3 GBs when full rule base is used as it is constructing the automaton for all the fields in the rules. Also tests we performed to verify the memory consumed by Snort and Improved Snort when the default set of rules were used. It is clear from the graph that Improved Snort occupies lesser MB where as Snort consumes much more when the default rules are loaded. Improved Snort continue to stabilize in terms of its memory utilization thereafter where as Snort continue to consume memory aggressively. E. Previous Work: Accelerating Multipattern Matching on Compressed HTTP Traffic Anat Bremler-Barr, Member, IEEE, and YaronKoral Current security tools, using signaturebased detection, do not handle compressed traffic, whose market-share is constantly increasing. This paper focuses on compressed HTTP traffic. HTTP uses GZIP compression and requires some kind of decompression phase before performing a string matching. We present a novel algorithm, Aho Corasick-based algorithm for Compressed HTTP (ACCH) that takes advantage of information gathered by the decompression phase in order to accelerate the commonly used Aho Corasick pattern-matching algorithm. By analyzing real HTTP traffic and real Web application firewall signatures, we show that up to 84% of the data can be skipped in its scan. Surprisingly, we show that it is faster to perform pattern matching on the compressed data, with the penalty of decompression, than on regular traffic. As far as we know, we are the first paper that analyzes the problem of on-the-fly multipattern matching on compressed HTTP traffic and suggest a solution. F. Drawbacks of Previous Work: In the DEFLATE format, Huffman codes both ASCII characters (a.k.a. literals) and pointers into code words using two dictionaries, one for the literals and pointer lengths and the other for the pointer distances. Huffman may use either fixed or dynamic dictionaries. The use of dynamic dictionaries gains better compression ratio. The Huffman dictionaries for the two alphabets appear in the block immediately after the header bits and before the actual compressed data. A common implementation of Huffman decoding uses two levels of lookup tables. The first level stores all code words of length less than 9 b in a table of 2 entries that represents all possible inputs; each entry holds the symbol value and its actual length. If a symbol exceeds 9 b, there is an additional reference to a second lookup table. Thus, on most of the cases, decoding a symbol requires only one memory reference, while for the less frequent symbols it requires two. The basic AC algorithm constructs a deterministic finite automaton (DFA) for detecting all occurrences of given patterns by processing the input in a single pass. The input is inspected symbol by symbol (usually each symbol is a byte), such that each symbol results in a state transition. Thus, the AC algorithm has deterministic performance, which does not depend on the input, and therefore is not vulnerable to various attacks, making it very attractive to NIDS systems. Note that this common encoding requires a large matrix of size, where is the set of ASCII symbols and is the number of states) with one entry per DFA edge. At the bottom line, DFAs require a significant amount of memory; therefore they are usually maintained in main memory and characterized by random rather than consecutive accesses to memory. We note that there is no apparent easy way to perform multipattern matching over compressed traffic without decompressing the data in some way. This is mainly because LZ77 is an adaptive compression; namely, the text represented by each symbol is determined dynamically by the data. As a result, the same substring is encoded differently depending on its location within the text. Thus, decoding the pattern is futile. Space: One of the problems of decompression is its memory requirement: The straightforward approach requires 32 Kb sliding window for each HTTP session. Note that this requirement is difficult to avoid since the back-reference pointer can refer to any point within the sliding window and the pointers may be recursive unlimitedly (i.e., pointer may point to area with a pointer). On the other hand, pattern matching of noncompressed traffic requires storing only one or two packets (to handle cross-packet data), where the maximum size of a TCP packet is 1.5 kb. Hence, dealing with compressed traffic poses a higher memory requirement by a factor of 10. Time: Recall that pattern matching is a dominant factor in the performance of security tools [1], while performing decompression further increases the overall time penalty. Therefore, security tools tend to ignore compressed traffic. 87

8 Note that a byte with an Uncheck status provides a location to restart scanning from. Hence, every byte with Uncheck status raises the chance for skipping more bytes. As shown in our experimental results section, most of the time the DFA uses states of low depth, hence in most cases the status would be Uncheck. Therefore, we might skip scanning most of the bytes. It only causes skipping less byte. III. CONCLUSION This paper discusses about a performance enhanced IDS/IPS tool called Improved Snort which was initially modeled based on Snort. The main motive of Improved Snort is to develop a better tool capable of detecting and preventing the DoS attacks which is still treated as a major security threat. By performing a series of preprocessing steps Improved Snort has managed to detect and prevent misuse and anomaly detection more precisely and rapidly thereby reducing the rate of false alarms. Improved Snort also managed to decrease the amount of memory and CPU consumed. This memory reduction was achieved by the series of preprocessing which was done by constructing the automata for the rule options and that too for the content portion of the Snort rules alone. But in case of Snort automata will be constructed for both the rule header and the rule options which will consume more memory and loads of transitions will be there. It is enough to construct the automata for the content portion alone as the U2R and R2L attacks are mainly content based attacks and the content portion of the Snort rule is sufficient to detect these attacks. The increased speed of execution was achieved by doing rule grouping and processing based on the protocols thereby reducing the number of searches. One of the main drawbacks of Snort is that it will start to drop the packets at a higher rate when flooding is there without even analyzing them. But Improved Snort will process more packets and almost at a constant rate irrespective of flooding and other types of attacks. Improved Snort is a tool with IPS capability in-built into it, where as Snort needs additional plug-ins to achieve the same. Improved Snort also integrated both the misuse and the anomaly detection module which will reduce the number of false alarms generated to a greater extent. If an intrusion attempt manages to bypass one module then it will be picked up by the other, i.e. if an attack escapes the misuse detection module then it will be detected by the anomaly detection module and vice versa. REFERENCES [1] snort homepage [2] [3] Coint CJ.; Stanford S; and McAlemey J. (2001): Towards Faster String Matching for Intrusion Detection for Exceeding the Speed of Snort, pp [4] Wireshark Tutorial [5] 2010 International Conference on Networking and Digital Society The Study on Network Intrusion Detection System of Snort Zhou Zhimin, Chen Zhongwen, Zhou Ti echeng, Guan Xiaohui Department of Computer Science Zhejiang Water Conservancy And Hydropoeer College Hangzhou, China [6] Aho A.V.; Corasick M.J.(1975): Efficient String Matching: An Aid to Bibliiographic Search, Bell Laboratories, Communication of the ACM, pp [7] Seguin K: The Little MongoDB Book. [8] Roesch M. (1999): Snort: Lightweight intrusion detection for networks, In Proceedings of the 1999 USENIX LISA Systems Administration Conference, pp [9] Suter R (2012): MongoDB: An Introduction and performance Analysis, Seminar Thesis, Rapperswil. [10] Tongaonkar A; Vasudevan S; Sekar R(2008): Fast Packet Classification for Snort by Native Compilation of Rules, Stony Brook University, 22 nd Large Installation System Administration Conference, pp [11] [12] Working with Snort Rules, Pearson Education Inc, Dec [13] [14] Rodfoss.pdf Comparison of Open Source Network Intrusion Detection Systems Jonas Taftø Rødfoss [15] Comparison of Different Intrusion Detection And Prevention Systems, Abhishek Chauhan [16] 2010 International Conference on Computer, Mechatronics, Control and Electronic Engineering (CMCE) Research on Intelligent Intrusion Prevention System Based on Snort Hui Li Graduate School Changchun University of Technology Changchun, China Dihua Liu School of Computer Science and Engineering Changchun University of Technology Changchun, China [17] 2011 The 6th International Forum on Strategic Technology Researh on Network Intrusion Prevention System Based on Snort Jiqiang Zhai, Yining Xie Computer Science & Technology College,Harbin University of Science and Technology Harbin, China 88