14
Chapter 1 Introduction to Intrusion Detection and Snort
receiving systems are capable of reassembling these smaller units again to form the
original data packet. On IDS, before you can apply any rules or try to find a signature,
you have to reassemble the packet. For example, half of the signature may be present in
one segment and the other half in another segment. To detect the signature correctly you
have to combine all packet segments. Hackers use fragmentation to defeat intrusion
detection systems.
The preprocessors are used to safeguard against these attacks. Preprocessors in
Snort can defragment packets, decode HTTP URI, re assemble TCP streams and so on.
These functions are a very important part of the intrusion detection system.
1.3.3
The Detection Engine
The detection engine is the most important part of Snort. Its responsibility is to
detect if any intrusion activity exists in a packet. The detection engine employs Snort
rules for this purpose. The rules are read into internal data structures or chains where
they are matched against all packets. If a packet matches any rule, appropriate action is
taken; otherwise the packet is dropped. Appropriate actions may be logging the packet
or generating alerts.
The detection engine is the time critical part of Snort. Depending upon how pow
erful your machine is and how many rules you have defined, it may take different
amounts of time to respond to different packets. If traffic on your network is too high
when Snort is working in NIDS mode, you may drop some packets and may not get a
true real time response. The load on the detection engine depends upon the following
factors:
Number of rules
Power of the machine on which Snort is running
Speed of internal bus used in the Snort machine
Load on the network
When designing a Network Intrusion Detection System, you should keep all of
these factors in mind.
Note that the detection system can dissect a packet and apply rules on different
parts of the packet. These parts may be:
The IP header of the packet.
The Transport layer header. This header includes TCP, UDP or other transport
layer headers. It may also work on the ICMP header.
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved