• Convergence Security Journal
• /
• v.10 no.2
• /
• pp.1-9
• /
• 2010

Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and approximately 300,000 registered users. Snort identifies network indicators by inspecting network packets in transmission. A process on a host's machine usually generates these network indicators. This means whatever the snort signature matches the packet, that same signature must be in memory for some period (possibly micro seconds) of time. Finally, investigate some security issues that you should consider when running a Snort system. Paper coverage includes: How an IDS Works, Where Snort fits, Snort system requirements, Exploring Snort's features, Using Snort on your network, Snort and your network architecture, security considerations with snort under digital forensic windows environment.

• Convergence Security Journal
• /
• v.14 no.5
• /
• pp.3-8
• /
• 2014

We have tried to compare two different IDSs which are widespread over the network administrator, Snort and Suricata, in functional and performance aspects. Specifically, we focused on analyzing upon what functions for detecting threat were added newly and what Multi-Threading introduced newly for Suricata has influenced in a performance aspect. As a result, we could discover that there are some features in Suricata which has never existed in Snort such as Protocol Identification, HTTP Normalizer & Parser, and File Identification. Also, It was proved that the gap of PPS(Packets Per Second) becomes wider, as the number of CPU Cores which are working increase. Therefore, we could conclude that Suricata can be an efficient alternative for Snort considering the result that Suricata is more effective quantitatively as well as qualitatively.

• Proceedings of the Korean Information Science Society Conference
• /
• 2012.06c
• /
• pp.304-306
• /
• 2012

IDS는 네트워크를 통해 외부에서 들어오는 공격을 감지하고 차단하는 시스템으로 Snort는 대표적으로 널리 이용되고 있는 비상업적 IDS이다. Snort는 서버로 들어오는 패킷과 침입탐지 규칙을 비교하여 네트워크 공격을 탐지한다. 네트워크 공격이 다양해지고 인터넷 사용이 증가하면서 탐지할 대상이 많아졌기 때문에 Snort의 성능을 유지하기 어려워지고 있다. 따라서 소프트웨어적으로 탐지엔진의 알고리즘을 성능을 향상시키거나 하드웨어적으로 패킷처리 능력을 향상시키는 연구가 진행되고 있다. 본 논문에서는 소프트웨어나 하드웨어적인 성능 향상과는 달리 침입탐지 규칙에 기반하여 이를 좀 더 명확하고 효율적으로 정하고 관리하여 Snort의 성능을 향상시키는 접근방법을 제안하였다. 이를 위해 우선적으로 Snort의 침입탐지 규칙에 대해 분석하였고 그 중 개선할 수 있는 Snort 규칙에 대해서 새로운 침입탐지 규칙을 제안을 하였다.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.12 no.1
• /
• pp.89-95
• /
• 2016

Recent growth of hacking threats and development in software and technology put Network security under threat, In addition, intrusion, malware and worm virus have been increased due to the existence of variety of sophisticated hacking methods. The goal of this study is to compare Snort Alpha version with Suricata 2.0.11 version whereas previous study focuses on comparison between snort 2. x version under thread environment and Suricata under multi-threading environment. This thesis' experiment environment is set as followed. Intel (R) Core (TM) i5-4690 3. 50GHz (4threads) of CPU, 16GB of RAM, 3TB of Seagate HDD, Ubuntu 14.04 are used. According to the result, Snort Alpha version is superior to Suricata in performance, but Snort Alpha had some glitches when executing pcap files which created core dump errors. Therefore this experiment seeks to analyze which performs better between Snort Alpha version that supports multi packet processing threads and Suricata that supports multi-threading. Through this experiment, one can expect the better performance of beta and formal version of Snort in the future.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2013.10a
• /
• pp.666-668
• /
• 2013

Wireless network environment is spreading due to the increase of using mobile devices, causing wireless network abuse. Network security and intrusion detection have been paid attention to wireless as well as wired existing and studied actively Snort-based intrusion detection system (Intrusion Detection System) is a proven open source system which is widely used for the detection of malicious activity in the existing wired network. Snort Wireless has been developed in order to enable the 802.11 wireless detection feature. In this paper, Snort Wireless Rule is analyzed. Based on the results of the analysis, present the traveling direction of future research.

• Journal of Internet Computing and Services
• /
• v.13 no.2
• /
• pp.41-49
• /
• 2012

Wireless network support and extended mobile network environment with exponential growth of smart phone users allow us to utilize the network anytime or anywhere. Malicious attacks such as distributed DOS, internet worm, e-mail virus and so on through high-speed networks increase and the number of patterns is dramatically increasing accordingly by increasing network traffic due to this internet technology development. To detect the patterns in intrusion detection systems, an existing research proposed an efficient algorithm called the jumping window algorithm and analyzed approximately 2,000 patterns in Snort 2.1.0, the most famous intrusion detection system. using the algorithm. However, it is inappropriate from the number of TCAM lookups and TCAM memory efficiency to use the result proposed in the research in current environment (Snort 2.9.0) that has longer patterns and a lot of patterns because the jumping window algorithm is affected by the number of patterns and pattern length. In this paper, we simulate the number of TCAM lookups and the required TCAM size in the jumping window with approximately 8,100 patterns from Snort-2.9.0 rules, and then analyse the simulation result. While Snort 2.1.0 requires 16-byte window and 9Mb TCAM size to show the most effective performance as proposed in the previous research, in this paper we suggest 16-byte window and 4 18Mb-TCAMs which are cascaded in Snort 2.9.0 environment.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.13 no.1
• /
• pp.71-76
• /
• 2013

A computer worm is a standalone malware computer program that probes and exploits vulnerabilities of systems. It replicates and spreads itself to other computers via networks. In this paper, we study how to detect and prevent worms. First, we generated Codered II traffic on the emulated testbed called Deterlab. Then we identified dubious parts using Earlybird and wrote down Snort rules using Wireshark. Finally, by applying the Snort rules to the traffic, we could confirmed that worm detection was successfully done.

• Convergence Security Journal
• /
• v.6 no.2
• /
• pp.91-99
• /
• 2006

As the speed of network has fastened and the Internet has became common, an ill-intentioned aggression, such as worm and E-mail virus rapidly increased. So that there too many defenses created the recent Intrusion detection system as well as the Intrusion Prevention Systems to defense the malicious aggression to the network. Also as the form of malicious aggression has changed, at the same time the method of defense has changed. There is "snort" the most representive method of defense and its Rules file increases due to the change of aggression form. This causes decline of capability for detection. This paper suggest, design, and realize the structure for the improvement of processing capability by separating the files of Snort Rule according to o/s. This system show more improvement of the processing capability than the existing composion.

• Journal of Korea Society of Industrial Information Systems
• /
• v.8 no.4
• /
• pp.8-16
• /
• 2003

This paper moses a method to solve the weakness in Snort, the network based intrusion detection system. Snort which is the rule-based intrusion detection system dose not supports a protection method for their own rules which are signatures to detect intrusions. Therefore the purpose of this paper is to provide a scheme for protecting rules. The system with the proposed scheme could support integrity and confidentiality to the rules.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2013.11a
• /
• pp.702-704
• /
• 2013

네트워크의 급속한 발전으로 데이터가 방대해짐에 따라 정보시스템의 역기능으로 네트워크 공격이 다양해지고 빈번하게 발생하면서 네트워크 침입 탐지시스템 기능과 패킷 차단 기능이 중요시되고 있다. 본 논문에서는 침입 탐지 시스템 오픈 소스인 Snort와 리눅스의 iptables 시스템의 각 장점을 활용하여 연동하는 snort-inline과는 다른 방식을 사용하여 실시간으로 침입 탐지시스템의 역할을 하는 스크립트를 Python으로 구현하였다. 구현한 시스템의 성능 검증을 위해 공격자가 해킹 대상 시스템에 DOS 공격을 하여 구현 모듈에서 snort의 탐지 능력과 iptables의 패킷 차단 명령문이 실행되어 악의적 패킷 접근을 차단할 수 있음을 제시하였다.