Influence of existing rule processing optimizations on the performance of the snort 3 network intrusion detection system
DOI:
https://doi.org/10.34185/1562-9945-3-152-2024-04Keywords:
Snort 3, NIDS, Performance, Fast Pattern, Attack Detection, Rule, Signature, Optimization, Algorithm, Protocol.Abstract
Network intrusion detection systems (NIDS) are a key component of cybersecurity, working to warn, detect, and respond to potential network threats. They analyze network traffic to detect anomalous or malicious activity such as breach attempts, viruses, use of software exploits, and more. Intrusion detection systems should perform packet inspec-tion at or near cable speed to be highly effective. The speed of intrusion detection systems is critical because it allows timely mitigation of potential cyber threats, ensuring uninter-rupted operation of business processes. One of the most common and recognized tools in the field of NIDS is the intrusion detection system Snort, which has already proven itself as a powerful means of protecting networks. Snort 3 is an updated version of this system, and has multithreading, increased speed compared to Snort, greater modularity and other advantages[2], so we will concen-trate on it in the context of this article. The task of optimizing the operation of NIDS is very acute. Due to the variability and multifunctionality of existing systems, there is a wide field for analyzing and improv-ing the efficiency of NIDS both for specific tasks and for tasks of a broad profile. So many works look at the performance of Snort 3 compared to other intrusion detection sys-tems[3] in different types of infrastructures, which will help the user to find the best op-tion for himself. The purpose of the study is to consider the three main rule processing optimization algorithms used in the Snort 3 system, namely Fast Pattern, port-based and protocol-based clustering. For them, the basic implementation, modifications of the source code, which are necessary to disable the algorithm, as well as the impact of the algorithm on the overall speed of the system, will be described. Some results have shown a slight performance improvement when the optimization algorithms are disabled, this is on configurations with a small number of rules. In most cases, a clear drop in performance of 10% or more is noticeable. The biggest deteriora-tion in performance occurs when Fast Pattern operations are disabled, without this algo-rithm the deterioration can reach 20 times.
References
Martin Roesch, “Snort: Lightweight intrusion detection for networks”, Lisa 99, vol. 1, 229–238, 1999.
Comparing Snort 2 and Snort 3 on Firepower Threat Defense – Cisco. URL: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217617-comparing-snort-2-and-snort-3-on-firepow.html.
C. Thorarensen, “A Performance Analysis of Intrusion Detection with Snort and Security Information Management”, Independent thesis Advanced level, Linköping University-Department of Computer and Information Science, 2021.
Granberg, N.: "Evaluating the effectiveness of free rule sets for Snort". Independent thesis Advanced level, Linköping University-Department of Computer and Information Science, 2022.
N. Khamphakdee, N. Benjamas and S. Saiyod, “Improving intrusion detection system based on snort rules for network probe attacks detection with association rules technique of data mining”, Journal of ICTResearch & Applications, vol. 8, no. 3, pp. 11–21, 2015.
Salah, K.; Kahtani, A., “Improving Snort performance under Linux”, IET Communications, vol. 3, no. 12, p. 1883-1895, 2009.
H. M. Elshafie, T. M. Mahmoud, A. A. Ali, "Improving the Performance of the Snort Intrusion Detection Using Clonal Selection", 2019 International Conference on Innovative Trends in Computer Engineering (ITCE), Aswan, Egypt, 2019, pp. 104-110, 2019.
P. Singh, S. Behal and K. Kumar, "Performance enhancement of a Malware Detection System using score based prioritization of snort rules", 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), Greater Noida, India, 2015, pp. 1150-1155, 2015.
Snort 3 User Manual.
URL: https://usermanual.wiki/Document/snortmanual.760997111/view
Snort++ Developers Guide.
URL: https://www.snort.org/downloads/snortplus/snort_devel.html#_detection.
Gorbatov V. S., Zhurba A. O. The method of pre-filtering signatures to speed up the search for attacks by the network intrusion detection system. Modern informa-tion and communication technologies in transport, industry and education: materi-als of the international science conference, Dnipro, December 13–14. 2023. Dnipro, 2023. P. 136–137.
Munshaw J. Soft Release: lightSPD, the new rules package for Snort 3. Snort Blog. URL: https://blog.snort.org/2020/12/soft-release-lightspd-new-rules-package.html.
C. Park, M. Han, H. Lee, M. Cho, S. W. Kim, “Performance Comparison between LLVM and GCC Compilers for the AE32000 Embedded Processor,” IEIE Transactions on Smart Processing and Computing, vol. 3, no. 2. The Institute of Electronics Engineers of Korea, 96–102, 2014.
2000 DARPA Intrusion Detection Scenario Specific Datasets | MIT Lincoln Labo-ratory. URL: https://www.ll.mit.edu/r-d/datasets/2000-darpa-intrusion-detection-scenario-specific-datasets
2012 MACCDC – MACCDC. URL: https://maccdc.org/maccdc-2012/
IDS 2017 | Datasets | Research | Canadian Institute for Cybersecurity | UNB. URL: https://www.unb.ca/cic/datasets/ids-2017.html
Downloads
Published
Issue
Section
License
Copyright (c) 2024 System technologies
This work is licensed under a Creative Commons Attribution 4.0 International License.
