Skip to main content
SpringerLink
Log in

On the fly pattern matching for intrusion detection with Snort

Filtrage de Paquets à la Volée pour la Détection D’Intrusions avec Snort

  • Published:
Annales des Télécommunications Aims and scope Submit manuscript

Abstract

Intrusion Detection Systems are becoming necessary tools for system administrators to protect their network. However they find more and more difficulties with high speed networks. To enhance their capacity and deal with evasion techniques, frequently used by hackers, we have introduced a new method to filter the network traffic. The detection method, while being stateful, processes each packet as soon as it is received. We have employed this strategy after a new classification of detection rules. Then, we have used efficient multisearch methods and suitable datastructure for signatures. The method has been successfully implemented as an extension of the Intrusion Detection System “Snort”.

Résumé

Les systèmes de détection d’intrusions sont devenus indispensables pour les administrateurs afin de protéger leurs réseaux. Cependant, ces outils présentent des lacunes pour traiter le haut débit et mener une analyse précise du contenu des paquets. Nous proposons dans cet article une nouvelle approche pour filtrer le trafic réseau. Cette méthode est capable de traiter chaque paquet dès sa réception tout en mémorisant l’état des connexions. Nous nous appuyons sur une organisation intelligente des règles de détection et sur des algorithmes de recherche de plusieurs signatures. Cette méthodologie a été implantée avec succès dans le système de détection d’intrusions «Snort».

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abbes (T.),Bouhoula (A.),Rusinowitch (M.), Protocol Analysis in Intrusion Detection Using Decision Tree, InProceedings of International Conference on Information Technology: Coding and Computing (itcc’04) Volume 1, April, 2004.

  2. Aho (A.),Corasick (M.), Efficient string matching An aid to bibliographic search, In Communications of theacm, 18(6):333–340, 1975.

    Article  MATH  MathSciNet  Google Scholar 

  3. Allen (J.),Christie (A.),Fithen (W.),Mchugh (J.),Pickel (P.),Stoner (E.), State of the Practice of Intrusion Detection Technologies, Reportcmu/sei-99-tr-02s,esc-99-02s, Carnegie Mellon University, Software Engineering Institute, January 2000.

  4. Axelsson (S.), Research in Intrusion Detection Systems: A Survey, Technical Report No 98-17, Department of Computer Engineering, Chalmers University of Technology, Sweden, Aug 1999.

    Google Scholar 

  5. Boyer (R.S.),Moore (J.S.), A fast string searching algorithm, InCommunications of theacm, 20(10):762–772, 1977.

    Article  Google Scholar 

  6. Crochemore (M.),Czumaj (A.),Gasieniec (L.),Jarominek (S.),Lecroq (T.),Plandowski (W.),Rytter, Fast practical multi-pattern matching, Rapport 93-3, Institut Gaspard Monge, Université de Marne la Vallée, 1993.

  7. Crochemore (M.),Lecroq (T.), Pattern matching and text compression algorithms, In Allen B. Tucker, Jr. (Editor-in-Chief), The Computer Science and Engineering Handbook,crc Press, in cooperation withacm, 1997.

  8. Cuppens (F.),Miege (A.), Alert Correlation in a Cooperative Intrusion Detection Framework, Inieee Symposium on Security end Privacy 2002: 202–215, 2002.

  9. Dethy, Examining port scan methods analysing audible techniques,url: www.in-f-or.it/informatica/docs/portscan.pdf.

  10. Fisk (M.),Varchese (C.), An Analysis of Fast String Matching Applied to Content-Based Forwarding and Intrusion Detection,la-ur-01-5459url, Los Alamos National Lab.,nm (us), September 2001.

  11. Hall (M.),Wiley (K.), Capacity verification for high speed network intrusion detection systems, InProceedings of the 5th International Workshop on the Recent Advances in Intrusion Detection (raid’2002),lncs v. 2516, pages 239–251, Springer-Verlag, 2002.

  12. Handley (M.),Kreibich (C.),Paxson (V.), Network intrusion detection: Evasion, traffic normalization, InProceedings of the 10thusenixSecurity Symposium, 2001.

  13. Jackson (K.A.), Intrusion Detection System (ids) Product Survey, Reportla-ur-99-3SS3, Los Alamos National Laboratory, 1999.

  14. Kruegel (C.),Valeur (F.),Vigna (G.),Kemmerer (R.), Stateful intrusion detection for high-speed networks, InProceedings of the ieee Symposium on Research on Security and Privacy, Oakland,ca, May 2002.

  15. Kucherov (G.),Rusinowitch (M.), Matching a set of strings with variable length don’t cares,Theoretical Computer Science, v.178 ni-2, p.129–154, May 1997

    Article  MATH  MathSciNet  Google Scholar 

  16. Kuri (K.),Navarro (G.).Me (L.),Heye (L.), A pattern matching based filter for audit reduction and fast detection of potential intrusions, InProceedings of the 3rd International Workshop on the Recent Advances in Intrusion Detection (raid’2000),lncs v. 1907, pages 17–27, Springer-Verlag, 2000.

  17. Mcalerney (J.),Colt (C.),Staniford (S.), Towards faster pattern matching for intrusion detection, InProceedings of the 2nddarpaInformation Survivability Conference and Exposition (dis cexII), June 2002

  18. (L.),Michel (C.), Intrusion detection: A bibliography, Technical Reportssir-2001-01, Supélec, Rennes, France, September 2001.

  19. Ptacek (T.H.),Newsham (T.N.), Insertion, evasion, and denial of service: Eluding network intrusion detection, Technical Report, Secure Networks, Inc., January 1998.

  20. Puppy (R.F.), A look at whisker’s anti-ids tactics,url: http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html, 1999.

  21. Roesch (M.), Snort lightweight intrusion detection for networks, Inusenix, editor, Proceedings of the Thirteenth Systems Administration Conference (lisa),usenix, November 1999.

  22. Roesch (M.),Green (C.), Snort users manual snort release,url: www.snort.org/docs/SnortUsersManual.pdf, 2002.

  23. Sekar (R.),Guang (Y.),Verma (S.),Shanbhag (T.), A high-performance network intrusion detection system, Inacm Conference on Computer and Communications Security, pages 8–17, 1999.

  24. Shankar (U.),Paxson (V.), Active mapping: Resistingnids evasion without altering traffic, InProceedings of ieee Symposium on Security and Privacy, 2003.

  25. Sommer (R.),Paxson (V.), Enhancing byte-level network intrusion detection signature with context, InProceedings of the acm Conference on Computer and Communications Security (ccs), October 2003.

  26. Song (D.),Shaffer (G.),Undy (M.),nidsbench — a network intrusion detection test suite, InRecent Advances in Intrusion Detection, 1999.

  27. Markatos (E.P.),Antonatos (S.),Polychronakis (M.),Anagnostakis (K.G.), Exclusion-based signature matching for intrusion detection, InProceedings of the iasted International Conference on Communications and Computer Networks (ccn),pp. 146–152, Cambridge,usa, November 2002.

  28. Wespi (A.),Dacier (M.),Debar (H.), Intrusion detection using variable-length audit trail patterns, InProceedings of the 3rd International Workshop on the Recent Advances in Intrusion Detection (raid’2000),lncs v. 1907, pages 110–129, Springer-Verlag, 2000.

Download references

Author information

Authors and Affiliations

  1. LORIA-INRIA Lorraine, 615, rue du Jardin Botanique, B.P. 101, 54602, Villers-Les-Nancy cedex, France

    Tarek Abbes & Michael Rusinowitch

  2. Ecole Supérieure des Communications de Tunis, 2083, Ariana, Tunisie

    Adel Bouhoula

Authors
  1. Tarek Abbes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adel Bouhoula
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Rusinowitch
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tarek Abbes.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Abbes, T., Bouhoula, A. & Rusinowitch, M. On the fly pattern matching for intrusion detection with Snort. Ann. Télécommun. 59, 1045–1071 (2004). https://doi.org/10.1007/BF03179710

Download citation

  • Received:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/BF03179710

Key words

Mot clés

Search

Navigation