On the fly pattern matching for intrusion detection with Snort

Intrusion Detection Systems are becoming necessary tools for system administrators to protect their network. However they find more and more difficulties with high speed networks. To enhance their capacity and deal with evasion techniques, frequently used by hackers, we have introduced a new method to filter the network traffic. The detection method, while being stateful, processes each packet as soon as it is received. We have employed this strategy after a new classification of detection rules. Then, we have used efficient multisearch methods and suitable datastructure for signatures. The method has been successfully implemented as an extension of the Intrusion Detection System “Snort”.RésuméLes systèmes de détection d’intrusions sont devenus indispensables pour les administrateurs afin de protéger leurs réseaux. Cependant, ces outils présentent des lacunes pour traiter le haut débit et mener une analyse précise du contenu des paquets. Nous proposons dans cet article une nouvelle approche pour filtrer le trafic réseau. Cette méthode est capable de traiter chaque paquet dès sa réception tout en mémorisant l’état des connexions. Nous nous appuyons sur une organisation intelligente des règles de détection et sur des algorithmes de recherche de plusieurs signatures. Cette méthodologie a été implantée avec succès dans le système de détection d’intrusions «Snort».

[1]  Mike Hall,et al.  Capacity Verification for High Speed Network Intrusion Detection Systems , 2002, RAID.

[2]  Cedric Michel,et al.  Intrusion detection: A bibliography , 2001 .

[3]  Maxime Crochemore,et al.  Pattern-matching and text-compression algorithms , 1996, CSUR.

[4]  Christopher Krügel,et al.  Stateful intrusion detection for high-speed network's , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  Marc Dacier,et al.  Intrusion Detection Using Variable-Length Audit Trail Patterns , 2000, Recent Advances in Intrusion Detection.

[6]  Evangelos P. Markatos,et al.  Exclusion-based Signature Matching for Intrusion Detection , 2002 .

[7]  Michaël Rusinowitch,et al.  Protocol analysis in intrusion detection using decision tree , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[8]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[9]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[10]  Gonzalo Navarro,et al.  A Pattern Matching Based Filter for Audit Reduction and Fast Detection of Potential Intrusions , 2000, Recent Advances in Intrusion Detection.

[11]  Dug Song,et al.  Nidsbench - a Network Intrusion Detection Test Suite , 1999, Recent Advances in Intrusion Detection.

[12]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[13]  R. Sekar,et al.  A high-performance network intrusion detection system , 1999, CCS '99.

[14]  Michaël Rusinowitch,et al.  Matching a Set of Strings with Variable Length don't Cares , 1995, Theor. Comput. Sci..

[15]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[16]  William L. Fithen,et al.  State of the Practice of Intrusion Detection Technologies , 2000 .

[17]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[18]  Stefan Axelsson Research in Intrusion-Detection Systems: A Survey , 1998 .

[19]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[20]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[21]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.

[22]  Kathleen A. Jackson INTRUSION DETECTION SYSTEM (IDS) PRODUCT SURVEY , 1999 .