Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Date of Graduation

Summer 2014

Document Type

Thesis

Degree Name

Master of Science (MS)

Department

Department of Computer Science

Abstract

Network intrusion systems work on many models, but at their core they rely on algorithms to process data and determine if the network traffic is malicious in nature. Snort is the most widely-used open source network based Intrusion Prevention System / Intrusion Detection System (IPS/IDS) system. It works by comparing network traffic to a list or lists of rules to determine if and what action should be taken. These rules are referred to as signatures, since they are intended to identify a single pattern of network traffic just like a physical signature identifies a single author. I have developed an algorithm that accepts as input any file or a directory and outputs Snort signatures. This action allows a quick turnaround in creating a rule to stop specific information from traversing the network. By using such a tool, Systems Administrators can better protect their environments through custom rule sets. To verify the algorithm, I generated files of various types containing randomized content and parsed them to generate rules. I then used a Snort installation to process the rules and a packet capture containing the files to determine if the rules operated as intended. Previously, the creation of rules typically was limited to a very small group of experts that focus solely on such tasks. The core of this research is to enable users to easily create a custom Snort installation, in addition to utilizing the default signatures all Snort deployments use. This increases the security of the assets that each site considers valuable and can be used to prevent data breaches that a typical IDS/IPS deployment could not. The algorithm I have developed is a beginning to the process of creating custom rule sets in an automated manner based on the unique content of each user’s environment.

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.