ND CSE Department Notre Dame

Software Releases

Home
Overview
Members
Publications
Software
Links
Resources
(internal)

Snort/ACID Database Optimizations

Snort's ability to log alerts into an SQL database, combined with the ACID analysis console, makes it a powerful tool for security personel to monitor and analyze IDS events. However, under high alert loads, the database system itself can become a bottleneck that causes packet drop and loss of information, rendering the entire NIDS ineffective.

Caching one key database table inside the Snort sensor eliminates a costly database lookup and reduces the alert insertion overhead by over 25 percent. The modified database plugin for Snort as well as an associated technical report are available here at no cost. The code has been developed for Snort 1.9.1 and is compatible with Snort 2.0.

  • spo_database.c replaces the original database plugin and includes the signature cache.

  • spo_database_patch is a context diff that can be applied to the original spo_database.c file using the patch utility

  • Lambert Schaelicke, Matthew Geiger, Curt Freeland, "Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor," tech. report TR 03-10, Department of Computer Science and Engineering, University of Notre Dame, Notre Dame, Ind., 2003.

    • Feel free to contact us with any questions or comments, especially if you find this code useful.

    Verilog Hardware and Testing Modules

    During the prototype development, a number of general-purpose modules have been designed that may be of interest to other users. The SPANIDS team will be happy to provide this code free of charge, just ask us.

  • PCI Bus Target Module Test Code
    This code implements a 32-bit PCI bus model and provides Verilog tasks that generate a number of bus transactions. A PCI bus monitor decodes all transactions and prints them to the simulator console for debugging purposes. The code is not synthesizable but is intended as a test bench for PCI target models.

  • Reading TCP-dump Files
    This combination of Verilog and PLI code lets Verilog simulations read network packets from trace files in the commonly used TCP-Dump format. This may be useful to simulate and test packet processing hardware. The PLI code pads the packets and recreates Ethernet, IP and UDP/TCP checksums if the tracefile did not capture the entire packet. The code uses the original time stamps to produce the correct interpacket gap, or alternatively replays packets at the maximum wire speed.

  • Ethernet Packet Decoder
    The decoder observes Ethernet packets, decodes them and prints key information such as source and destination addresses to the simulator console. It currently handles IP, ARP, TCP, UDP, ICMP and IGMP protocols. The module is intended as a debugging aid in a test bench for network processing hardware.

    • Please note that although we do not provide direct links to these modules here, they have been used extensively and have been stable for quite some time. We are more than happy to provide the Verilog code upon request, and to answer any questions.

    This material is based upon work supported by the National Science Foundation under Grant No. ANI02-31535. Any opinions, findings, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. Additional funding is provided by a Faculty Research Grant from the University of Notre Dame Graduate School.
    Copyright ND SPANIDS 2002-2004.
    For questions regarding this web page contact SPANIDS.
    Last updated: 01/06/2005.