Malicious Traffic Detection in Local Networks With Snort

Date Added: Sep 2009
Format: PDF

Snort is an open source Network Intrusion Detection System combining the benefits of signature, protocol and anomaly based inspection and is considered to be the most widely deployed IDS/IPS technology worldwide. However, Snort's deployment in a large corporate network poses different problems in terms of performance or rule selection. This paper proposes different improvements to the Snort Security Platform: the use of another library is proposed to significantly improve the amount of traffic that can be analyzed, and Snort's multithreading possibilities are explored. A new rule classification has been devised, and rulesets suited to large corporate networks are proposed. The use of Oinkmaster has been tested and documented to seamlessly update Snort's rules.