Snort匹配机制的改进

Improvement of Matching Mechanism in Snort

基于规则的模式匹配是Snort检测引擎的主要机制,本文在结合协议分析和模式匹配的基础上,对Snort匹配机制进行了改进。首先对从网络中获取的数据包进行预先处理,利用协议分析技术对数据包进行高层应用协议分析;根据分析的结果,再利用提出的新型的模式匹配算法,对数据包中的其他相应信息进行模式匹配,从而显著地提高了Snort规则匹配的效率。测试表明,改进过的Snort在性能上得到了提高。

The pattern matching based on rule is the main mechanism in the detection engine of Snort. Based on the combination of protocol analysis and pattern matching, we improved the matching mechanism in snort. Firstly, we foreclose the data packet gains from the network, analyzing the data packet by using the technology of protocol analysis; based on the result, we match the other corresponding information of data packet by using a new algorithm of pattern matching; all of these can raise the efficiency of rule matching in Snort obviously. Finally a performance test is held, which shnws that the improved snort has better performance.