Improving Intrusion Detection System Based on Snort ... - IEEE Xplore

2014 2nd International Conference on Information and Communication Technology (ICoICT)

Improving Intrusion Detection System Based on Snort Rules for Network Probe Attack Detection Nattawat Khamphakdee

Nunnapus Benjamas

Saiyan Saiyod

Department of Computer Science, Faculty of Science, Khon Kaen University Maung, Khon Kaen, Thailand [email protected] Advanced Smart Computing Laboratory

Department of Computer Science, Faculty of Science, Khon Kaen University Maung, Khon Kaen, Thailand [email protected] Advanced Smart Computing Laboratory

Department of Computer Science, Faculty of Science, Khon Kaen University Maung, Khon Kaen, Thailand [email protected] Hardware-Human Interface and Communications Laboratory

which will be the method for the attacker damaged the network.

Abstract— Data and network system security is the most important roles. An organization should find the methods to protect their data and network system to reduce the risk from attacks. Snort Intrusion Detection System (Snort-IDS) is a security tool of network security. It has been widely used for protecting the network of the organizations. The Snort-IDS utilize the rules to matching data packets traffic. If some packet matches the rules, Snort-IDS will generate the alert messages. However, Snort-IDS contain many rules and it also generates a lot of false alerts. In this paper, we present the procedure to improve the Snort-IDS rules for the network probe attack detection. In order to test the performance evaluation, we utilized the data set from the MIT-DAPRA 1999, which includes the normal and abnormal traffics. Firstly, we analyzed and explored the existing the Snort-IDS rules to improve the proposed SnortIDS rules. Secondly, we applied the WireShark software to analyze data packets form of attack in data set. Finally, the Snort-IDS was improved, and it can detect the network probe attack. This paper, we had classified the attacks into several groups based on the nature of network probe attack. In addition, we also compared the efficacy of detection attacks between SnortIDS rules to be updated with the Detection Scoring Truth. As the experimental results, the proposed Snort-IDS efficiently detected the network probe attacks compared to the Detection Scoring Truth. It can achieve higher accuracy. However, there were some detecting alert that occur over the attack in Detection Scoring Truth, because some attack occur in several time but the Detection Scoring Truth indentify as one time.

Intrusion Detection System (IDS) is the software for detecting and monitoring the data packet traffic on the network. When it founds the abnormal data of packet traffic which is the attacking pattern, the system will generate alert. Then the IDS are becoming the important tool for secure the data and network system. Moreover, this is the one of the most interesting security research topics of the researcher around the world. There are two detection techniques: Anomaly Intrusion Detection and Misuse Intrusion Detection. The intrusion detection systems are also divided into two types: Host-base Intrusion Detection System (HDIS) and Network-base Intrusion Detection System (NIDS) [1-2] such as Snort. A. Snort-IDS Snort is a popular Intrusion Detection and Protection System (IDS/IPS) which use for protecting the system’s risk from attacker. It is an open source lightweight software, was developed by Martin Roesch with C language in 1998 [3]. Snort can be installed on almost computer architecture and operating system platform. Moreover, Snort-IDS also generate alert in the real-time [4-5]. It searches and matches the network traffic’s data packet with the rules for checking abnormal data packet traffic. The rules of Snort-IDS are in the form of single line. It is easy to read and understand, and also can be modified. Snort-IDS’s basic components consist of: Packet Decoder, Preprocessor, Detection Engine, Logging and Alerting System, and Output Modules [6-7].

Keywords- Intrusion Detection System (IDS); Snort-IDS rule; Network Security; Network probe attack;

I.

The Snort-IDS utilize the rules matching with the data packet traffic network. Figure 1 shows the basic structure of the Snort-IDS rules which are divided into two logical parts: the rule header and the rule option. Figure 2 shows each field in the rule header of the Snort-IDS rules. It contains the criteria definition for matching between a rule and the data packet traffic network. In addition, the action field of the rule header also able to define the type of action such as pass, log alert etc. The rule options follow the rule header and they are within a pair of parentheses. In general, each option of the rule option

INTRODUCTION

Many organizations need an efficient security tool for preserving their data and network security. Especially, organizations of financial, product trading and data service via internet system need the highest security for customer’s data. If those data are stolen by the people who have a malicious intention, it will cause high damage to the business. Moreover, the network communication technology is fast improved and more complicated noun. If the organization does not have an efficient security tools for protecting data and network security

978-1-4799-3580-2/14/$31.00 ©2014 IEEE

69


II.

consists of two parts: a keyword and an argument. The keyword options extract from arguments with emblem colon. Argument of the keyword is option inside the emblem double quotes and each rule is separated by the emblem semicolon.

Rule Header

Snort-IDS are the attacking detection tool which the researchers around the world interested. In [9-10] presented the tool that helps the network administrator to make the SnortIDS rules and alert via Graphical User Interfaces (GUI). Beside in [6] introduced the signature-based development with Snort for analyzing the abnormal connection and they also utilize Basic Analysis and Security Engine (BASE) for displaying the generated alert results of the Snort-IDS. However, these researches did not improve the rules to increase the efficiency of attacking detection.

Rule Options

Figure 1. Snort-IDS rules structure

In [5] designed the model of distributed attacking detection into campus network by using Snort-IDS. The main objective of this research was to compare the analysis protocol and pattern matching method to improve the speed and accuracy of the intrusion detection system. For [11], they evaluated performance and analyzed abnormal used internet behavior of Snort-IDS’s alert for network security in campus. Moreover, in [12] evaluated the performance of Snort-IDS from attacking detection in campus with the high speed. The results found that most of Snort-IDS alerts were the ICMP PING attack. However, these researches just evaluated the performance of Snort-IDS without improving Snort-IDS rules.

Figure 2. Snort-IDS rules header structure

Figure 3.

The Snort-IDS rules example

Jinsgeng Xu, et al. [13] explained about Snort lab which helps the students learn how to make the Snort-IDS rules. They gave 6 problems to the students by applying the Snort-IDS rules for each attacking detection. In additional, they also tested the Snort-IDS rules by deploying the network traffic replay. Sagar N. Shah and Purnima Singh [7] introduced signaturebased Snort-IDS development cooperated with WinPcap. They installed and tested on Windows Operating System. Their research aims to analyze the abnormal activities in the network. The results found that Snort-IDS can perform with Windows Operation System. Furthermore, it also able to be configured as a firewall. In addition, Mohammad Dabbour, et al. [14] investigated details of Snort-IDS rules to the designed and adjusted Snort-IDS rules for detecting and protecting the attack in 3 kinds of website which are SQL injection, XSS and command execution, respectively. Although, they explained how to write the Snort rules, and showed the evaluated performance of the Snort-IDS rules improving. However, it can detect only some intrusions.

Figure 3 shows an example of the Snort-IDS rule. This Snort-IDS rule will generat the alert. If the tcp protocol, source IP address number 172.16.115.50 are detected from any port sent to any destination IP address and destionation port number is 53 (DNS). In addition, it also shown the message “DNS request attempt” and the number of the rule is sid:1000010. B. Network probe attacks The network probe attacks are one kind of attack. If the network administrator does not prepare to protect the attack, their network will be targeted from an attacker and cause of the network damage. The network probe attacks are the kind of attack which tries to collect the data and find the network’s vulnerability. The data (IP Address, service name, operating system application, host name, and etc.) are necessary for the attacker. The attacker will utilize the scan program for collecting network data e.g. nmap, satan, mscan. Nowadays, this kind of programs is easy to find from the internet and it is also easy to use. Those who have not familiar with computers can use and the program is free [8]. Even though the network probe attacks are just collecting the network data, therefore the attacker can use these data to be the basic of other attacks e.g. DoS, R2L, U2R. Then the network administrator should provide the efficient tool for attacking protection.

According to the researches mention above, some research helped the network administrator easier to analyze the attacks. But some research just tested the performance of the SnortIDS. Therefore, this paper investigates the improving of the intrusion detection system by introducing new Snort rules for network probe attacking detection. In addition, we also classify characteristics group of network probe attacks. III.

The rest of the paper is organized as follows. The next section we briefly recent the paper regarding the technique for the Snort-IDS rules. Then, in section III, we explain the improving of the Snort-IDS rules our proposed procedure. Therefrom, in section IV, provide the detailed description for achieve our proposed the Snort-IDS rules. Finally, the conclusion and future work are presented in the section V.

978-1-4799-3580-2/14/$31.00 ©2014 IEEE

RELETED WORK

IMPROVING OF SNORT-IDS RULES PROCEDURE

In this section, we explain the improved procedure of the Snort-IDS rules which consist of: analytical data packets procedure, improving Snort-IDS rules. Therefore, we propose some example of Snort-IDS rules. Each procedure is shown in the Figure 4.

70


MIT-DRAPA 1999 DATA SET

type, in the case of the probe_queso.rule, there are 28 rules which are the most rules in this paper. On the other hand, there is only one rule in the case of probe_ls_domain.rules.

Analytical Packets

C. Proposed Snort-IDS rules In this section, we demonstrate the details of some SnortIDS rules which are utilized for detecting probe attack.

Detection Scoring Truth

Improved rules TABLE II. No.

Proposed Snort-IDS rules

1 Figure 4. Improved Snort-IDS rules procedure 2

A. Analytical data packets procedure Figure 4 shows the improved Snort-IDS rules procedure analysis. In this paper, we utilize the MIT-DARPA 1999 [15] dataset which tested and evaluated detection performance by MIT Lincoln Laboratory. The dataset consists of normal and abnormal connection which was recorded in many file formats. In this paper, we utilize .tcpdump file format by choosing 2 files which are inside.tcpdump and outside.tcpdump in week 4th and 5th. Then we apply Wireshark [16] for reading dataset in files which show the connection of each packet e.g. source and destination IP address, source and destination port, flags, windows size, data and etc. These data are very necessary for analyzing the attacking type and improving Snort-IDS rules. It will increase the correctness of the detection rules and decrease false alert. But most of network administrators do not feature on these data.

3

4

5

No.

Rule 3.alert tcp $EXTERNAL_NET any -> $HOME_NET 25 \ (msg: " SMTP Scan attempted OS "; flow:to_server; ack:0; \ flags:F; fragoffset:0; window:4660; ttl:254; metadata:service \ smtp; classtype:attempted-recon; priority:3; sid:1000042)

6

THE GROUP AND NUMBER OF SNORT-IDS RULES Rules type

Rule 4. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 \ (msg: " SMTP Scan attempted OS "; flow:to_server; ack:0; \ flags:AF; fragoffset:0; window:4660; ttl:254; metadata:service \ smtp; classtype:attempted-recon; priority:3; sid:1000043)

Total rules

1

probe_portsweep.rules

25

2

probe_ipsweep.rules

9

3

probe_satan.rules

3

4

probe_ls_domain.rules

1

5

probe_ntinfoscan.rules

5

6

probe_queso.rules

28

Rule 5. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 \ (msg: " SMTP Scan attempted OS "; flow:to_server; ack:0; \ flags:SF; fragoffset:0; window:4660; ttl:254; metadata:service \ smtp; classtype:attempted-recon; priority:3; sid:1000044) Rule 6. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 \ (msg: " SMTP Scan attempted OS "; flow:to_server; ack:0; \ flags:P; fragoffset:0; window:4660; ttl:254; metadata:service \ smtp; classtype:attempted-recon; priority:3; sid:1000045) \ Rule 7. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 \ (msg: " SMTP Scan attempted OS"; flow:to_server; ack:0; \ flags:CES; fragoffset:0; window:4660; ttl:254; metadata:service \ smtp; classtype:attempted-recon; priority:3; sid:1000046)

After improving Snort-IDS rule, all rules are recorded in text file format. However, there are several types of the network probe attacks. Therefore, we classify the network probe attack into 6 groups as shown in Table I. As the results, we can see that the number of rules which grouped by rule

978-1-4799-3580-2/14/$31.00 ©2014 IEEE

Rules alert tcp $HOME_NET any -> $HOME_NET 80 (msg:"HTTP \ Scan attempted"; flow:to_server; fragoffset:0; fragbits:!D; \ ack:0; flags:S; window:2048; classtype: network-scan; \ priority:3; sid:1000003;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: \ "ICMP Scan Echo"; itype:8; icode:0; fragbits:!D; content:"|00 \ 00 00 00 00 00 00 00 00 00|"; depth:10; icmp_id:0; icmp_seq:0; \ ttl:254; classtype:attempted-recon; priority:3; sid:1000026) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg: \ "Figer 0 query attempted"; content:"0"; flow: to_server, \ established; fragoffset:0; fragbits:D; flags:A; classtype: \ attempted-recon; priority:3; sid:1000036) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg: \ "DNS request name"; flow:to_server,established; content:"|00 fc \ 00 01|"; nocase; depth: 4; metadata:service dns; classtype: \ attempted-recon; priority:3; sid:1000034) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: \ "FTP Request connection"; flow:to_server,established; \ content:"quit"; flags:AP; fragbits:D; metadata:service ftp; \ classtype:tcp-connection; priority:4; sid:1000039) Rule 1. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 \ (msg: "SMTP Scan attempted OS"; flow:to_server; ack:0; \ flags:S; fragoffset:0; window:4660; ttl:254; metadata:service \ smtp; classtype:attempted-recon; priority:3; sid:1000040) Rule 2. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 \ (msg: " SMTP Scan attempted OS "; flow:to_server; ack:0; \ flags:AS; fragoffset:0; window:4660; ttl:254; metadata:service \ smtp; classtype:attempted-recon; priority:3; sid:1000041)

B. Improved Snort-IDS rules In this section, we compare the analytical data packets between each packet connection in the dataset with attacking event in Detection Scoring Truth [17] to verify which packet is attacking event. The examples of comparing data are IDnum, Date, StartTime, and Attackname. In this paper, we only analyze network probe attacks. TABLE I.

SOME EXAMPLE OF PROPOSE SNORT-IDS RULES

Some examples of the Snort-IDS rules are shown in Table II. In example No.1, we improved the attacking detection rules

71


which called “portsweep attack”. In this rule allows the SnortIDS rules to detect the attack in the network. The Snort-IDS will alert when the attacker tries to scan the computer which open HTTP service (port number 80). In additional, we also utilize the option fragbits, flags and windows as the criterion for matching the packets.

IV.

In this section describes the experimental evaluation of the Snort-IDS rules to compare the detection performance. The performance evaluation consists of four procedures which are: classified network probe attacks procedure, tested Snort-IDS rules procedure, detection compared accuracy of the Snort-IDS rules procedure, and the final summary of the attack detection of the proposed Snort-IDS

In example No.2, we improved the attacking detection rules which called “ip_sweep attack”. Snort-IDS will alert when the attacker outside the network send ICMP PING packets to the network in which the attacker tries to find the possible IP address. In order to correctly detect the attack, we use the option icmp_id, and icmp_seq as criterion in the rule for matching the packets. But for the content rule option, we define the matching payload packet in form of binary data: 00 00 00 00 00 00 00 00 00 00 which can increase the efficiency of the Snort-IDS attacking detection.

A. classified network Probe attacks Detection Scoring Truth consist of the event of types which are Dos, U2R, R2L, and Probe attack, that has been tested and evaluated the performance of existing intrusion by MIT Lincoln Laboratory in both files outside.tcpdump and insdie.tcpdump of the two weeks (4th and 5th). In this paper, we focus on the network probe attacks which can be classified as shown in Table III.

In example No.3, we improved the attacking detection rules which called “Satan attack”. In this kind of the attack, the attacker utilizes the Satan program to scan the target computer to seek the opening port. The rule which is presented in example No.3 defines the Snort-IDS alert when the attacker scans the finger service (port number 79). This port is utilized for data service of Operating System. In additional, we also utilize the content rule option for matching payload packet of ASCII string: 0.

Table III shows the number of the network probe attacks in the Detection Scoring Truth. We can see that the Ipsweep attacks with the most up to 310 times, and the portsweep attacks were 305 times. But in the case of intrusion ls_domain attacks, there is only once time. TABLE III.

In example No.4, we improved the attacking detection rules which called “ls_domain attack”. This is new the attack that adding in the dataset. The Snort-IDS is assigned to alert when the outside network attacker tries to search the computer that opens DNS service (port number 53). In order to increase the efficiency of the attacking detection, we define the matching packets with the tcp protocol, and also utilize the content rule option for matching payload packets of the binary data: 00 fc 00 01. In example No.5, we improved the attacking detection rules which called “ntinfoscan attack”. The Snort-IDS will alert when the attackers from outside the network try to connect to the network by send the tcp protocol packets via FTP service (port number 21). In additional, the rule also utilizes the content rule option as criterion for matching payload packets of ASCII string: quit.

NUMBER CLASSIFIED GROUP NETWORK PROBE ATTACK IN THE DETECTION SCORING TRUTH SUMMARY Week4

Week5

Attack name

In

Out

Total

In

out

Total

Total Attacks

portsweep

8

27

35

6

264

270

305

ipsweep

0

292

292

0

18

18

310

satan

0

4

4

0

1

1

5

ls_domain

0

0

0

0

1

1

1

ntinfoscan

0

2

2

0

5

5

7

queso

0

0

0

7

21

28

28

Total

656

B. Tested Snort-IDS rules procedure The performance evaluations of the Snort-IDS rules perform by means of detection rate which can calculate by detection number per total attack of each attach type. The Snort-IDS system is installed by utilizing Snort version 2.9.2.2 based on CentOs operating system [18]. In order to get experimental results, the Snort-IDS rules need to be modified, we have modified snort.conf file to make it conform to the dataset. We change “ipvar HOME_NET any” to “ipvar HOME_NET 172.16.0.0/16” and “ipvar EXTERNAL_NET any” to “ipvar EXTERNAL_NET !172.16.0.0/16”. In additional, we utilize database mysql for collecting the alert data.

In example No.6, we improved the attacking detection rules for detecting “Queso attack” which is newly added to the dataset. The attackers utilized the Queso program to send the 7 numbers of the tcp protocol packets to one port of the target computer in the network in a part time. The 1st – 4th packets are utilized for request the open and close connection. The 5th – 7th packets are utilized for abnormal packets which are modified the TCP flags of the packet. This example, the Snort-IDS are assigned to alert when the attackers send the tcp protocol packet via the SMTP service (port number 25). The 1st rules to 4th rules are utilized to detect the attacker’s packet which request for open and close connection. In additional, we also utilize the flags, windows, and ttl option for matching packets data. The 5th rules to 7th rules are utilized to detect the packets which are the modified TCP flags in the different way: SF, P and CES.

978-1-4799-3580-2/14/$31.00 ©2014 IEEE

PERFORMANCE EVALUATION

Figure 5 shows the Snort-IDS rules testing procedure. In Traffic Flow Control is the traffic packet data in the dataset (inside.tcpdupm/outsid.tcpdump). We use the command snort N -r inside.tcpdump/outside.tcpdump -c /etc/snort/ snort.conf to direct Snort-IDS to process dataset file. For -N option to make

72


sure that snort doesn’t log each packet to the terminal because that takes more time, -r option to specify which tcpdump must be loaded and -c option to specify where the config file is located. When Snort-IDS detected traffic packet which match to Snort-IDS rule, it will generate the alert and record in the alert database.

III. Because some attacks occur repeatedly in the same time, it will create a Snort-IDS alert as well in that period time. TABLE IV.

MIT-DRAPA 1999 DATA SET

Proposed Snort-IDS rules

RESULT INTRUSION DETECTION NETWORK PROBE ATTACKS SUMMARY Week4

Week5

Attack name

In

Out

Total

In

out

Total

Total alert

portsweep

35

14

49

275

440

715

764

ipsweep

150

433

583

285

209

494

1077

satan

8

8

16

7

7

14

30

ls_domain

0

0

0

3

3

6

6

ntinfoscan

4

4

8

16

16

32

40

queso

0

0

0

7

21

28

28

Snort- IDS

Alert Database

Total

1945

Figure 5. Snort-IDS rules tested procedure

C. Detection accuracy comparison of the Snort-IDS rules procedure

V.

Snort-IDS are effective intrusion detection and network security tools where to monitoring the abnormal behavior. Snort-IDS generate alert when it detects the data packet traffic. This paper has improved Snort-IDS rules for the network probe attacks detection, and in addition also classifies the characteristics of network probe attacks. The results of the tested Snort-IDS rules confirm that the proposed Snort-IDS can correctly detect 100% of the network probe attacks based on MIT-DAPRA 1999 data set. However, regarding to the comparative analysis with the notification Detection Scoring Truth, the detection number of the proposed Snort-IDS rules are more than the detection scoring truth. Because, some moments of the attacks had occurred in several times. However, the Snort-IDS rules can help the network administrators quickly analyze the patterns of attacks. In addition, they must also regularly update Snort-IDS rules. Because attackers try to find new methods with increasing the complexity of the network attacks to damage over time.

Alert Database

Detection Scoring Truth

Comparison

Intrusion Detection Result Figure 6. The procedure of the attack detection comparison

Figure 6 shows the procedure of the attack detection comparison for the Snort-IDS rules. The information of the notification alert database will be compared with the actual attack on the Detection Scoring Truth. The attack times of the Detection Scoring Truth and the intrusion detection result of the proposed procedure will be compared by considering the matching time of each attack. However, there are some attack times that are mismatch.

For future work, we will improve the Snort-IDS rules for intrusion detection of types DoS, U2R, R2L. REFERENCES

D. Summary of the attack detection of the proposed SnortIDS Table IV shows the summary of the attack detection of the proposed Snort-IDS. We tested the detection performance by utilizing the both dataset files which are inside.tcpdump and outside.tcpdump in weeks 4th and 5th. The achieved of the performance evaluation are shown in Table IV. The total number of the Snort-IDS detected network probe attack is 1945 times. The number of the ipsweep attack is the most up to 1077 times, and portsweep attack is 764 times, but ls_domain attack is only 6 times.

[1]

Comparative analysis of the number of notifying Snort-IDS from Table IV is greater than the number of attacks in Table

[5]

978-1-4799-3580-2/14/$31.00 ©2014 IEEE

CONCLUSION AND FUTURE WORK

[2]

[3] [4]

73

Sandip Sonawane, Shailendra Pardeshi and Ganesh Prasad, “A survey on intrusion detection techniques,” Proceeding of National Conference on Emerging Trends in Information Technology (NCETIT), pp. 127133, 2012. Nishidh Patel, Vrushank Shah and K. J. Pancholi, “COMPARATIVE STUDY OF INTRUSION DETECTION SYSTEM MODEL ON THELAN SYS TEM,” Journal of information knowledge and research in electronics and communication engineering, pp. 432-435, 2013. Snort. Available at http://www.snort.org/snort-downloads? Zhimin Zhou, Chen Zhongwen, Zhou Tiecheng and Guan Xiaohui, "The study on network intrusion detection system of Snort," In Proc. Of 2nd International Conference on Networking and Digital Society (ICNDS), pp.194-196, 2010. Changwei Huang, Jinquan Xiong and Zhengwen Peng, "Applied research on Snort intrusion detection model in the campus


[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16] [17]

[18]

network," IEEE Symposium on Robotics and Applications (ISRA), pp.596-599, 2012. Vinod Kumar and Om Prakash Sangwan, “Signature Base Intrusion Detection System Using SNORT,” International Journal of Computer Application & Information Technology, pp.35-41, 2012. Sagar N. Shah and Purnima Singh, “Signature-Base Network Intrusion Detection System Using SNORT And WINPCAP,” International Journal of Engineering Research & Technology (IJERT), pp.1-7, 2012. Probe attack. Available at http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideva l/docs/attackDB.html#probes Xiaojin Hong, Changzhen Hu, Zhigang Wang, Guoqiang Wang and Ying Wan, "VisSRA: Visualizing Snort Rules and Alerts," In Proc. Of Fourth International Conference on Computational Intelligence and Communication Networks (CICN), pp.441-444, 2012. A. EL-Dia Riad, I. Elhenawy, A. Hassan and N. Awadallah, “Using Jquery with Snort to Visualize Intrusion,” IJCSI International Journal of Computer Scince Issues, pp.486-491, 2012. Xinyu Geng, Bing Liu and Xiaoyan Huang, "Investigation on Security System for SNORT-Based Campus Network," In Proc. Of 1st International Conference on Information Science and Engineering (ICISE), pp.1756-1758, 2009. Suman Rani and Vikram Singh, “SNORT: An Open Network Security Tool for Intrusion Detection in Campus Network Environment,” International Journal of Computer Technology and Electronics Engineeering (IJCTEE), 2012. Jinsheng Xu, Jinghua Zhang, Triveni Gadipalli, Xiaohong Yuan and Huiming Yu, “Learning Snort Rule By Capturing Intrusions in Live Nerwork Traffic Replay,” Proceedings of the 15th Colloquium for Information Systems Security Education (CISSE), pp.145-150, 2011. Mohammad Dabbour, Izzat Alsmadi and Emad Alsukhni, “Efficient Assessment and Evaluation for Websites Vulnerabilities Using SNORT,” International Journal of Security and its Applications, pp.716, 2013. MIT-DARPA 1999 Intrusion Detection System Evaluation Data Sets. Available at http://www.ll.mit.edu/mission/communications/cyber/ CSTcorpora/ideval/data/1999data.html WireShark. Available at http://en.wikipedia.org/wiki/Wireshark Data Scoring Truth. Available at http://www.ll.mit.edu/mission/ communications/cyber/CSTcorpora/files/ master-listfile-condensed.txt Linux CentOS. Available at http://www.centos.org

978-1-4799-3580-2/14/$31.00 ©2014 IEEE

74