Performance Assessment of Snort-based Network Intrusion Detection System

Abstract

Intoday's world securing network resource is an important issuse. One of the mechanisms that is used to secure network against attackers is Intrusion Detection System(IDS). Snort is the famous and wildly used IDS. This research assesses snort by testing it in two different ways. The first way is an off-line test with a benchmark dataset. The test is done with the use of Defense Advanced Research Projects Agency (DARPA) dataset as incoming traffic while running snort in NIDS mode.Snort analyzed this traffic according to rules configured in its configuration file where each attack had specific rules that are used to detect it. This research concerns with Denial of service (DOS) attack, probe attack,Remote to Local (R2L) and User to Root(U2R) attack. The second way is an online test using Kali tool as remote hacking host and another host as target. Result showed that snort in the first way can detect U2R and R2L attacks perfectly and can detect probing and DOS attacks with a number of false positive alerts. In the second way snort can detect scanning and Secure Shell (SSH) attacks very well with no dropped packet and detect Internet Control Message Protocol(ICMP) flooding attack but with dropping some packet. Snort can make alert for all incoming attack but it cannot alert every incoming packet because its cannot handle multiples packet in small time duration. Using of Snort within collection of detecting system can enhance intrusion detection efficiency.