An active package filter preprocessor is designed and implemented for an open source network intrusion detection system Snort. In high speed network environment, the preprocessor can actively discard the packages which have subtle impact on false positive alarm rate and avoid randomly discard packages by snort itself. Because of the fact that abnormal packages locate at the front of network flow, the preprocessor monitor the load changing of snort in real-time manner and active filter the packages locate at the tail of a network flow when the threshold of detection engine load is surpassed. Through experiments, using the active package filter preprocessor and adopting some behaviour to adjust snort, the snort can effectively decrease the false negative alarm rate while keeping relative low false positive alarm rate, and the detection efficient of snort can be greatly improved.%提出一种Snort主动包过滤预处理插件.在高速网络环境下,通过主动丢弃对检测误报率影响较小的数据包减轻系统负载,避免Snort在超负荷运行情况下的随机丢包现象.由于异常数据包主要来自于每个网络流前面的一定数量的数据包.因此,该预处理器实时地监控Snort的负载变化.当检测引擎负载超过一定阈值时,主动过滤掉网络流后面的正常数据包.实验表明,使用主动包过滤预处理器并采用一定的Snort调整行为,可以在保证较低误报率的前提下,有效降低Snort的漏报率,提高系统的检测效率.
展开▼
