Technical Papers Session VI: Performance enhancement of Snort ids through Kernel modification

Abstract/Description

Performance and improved packet handling capacity against high traffic load are important requirements for an effective intrusion detection system (IDS). Snort is one of the most popular open-source intrusion detection system which runs on Linux. This research article discusses ways of enhancing the performance of Snort by modifying Linux key parameters related to NAPI packet reception mechanism within the Linux kernel networking subsystem. Our enhancement overcomes the current limitations related to NAPI throughput. We experimentally demonstrate that current default budget B value of 300 does not yield the best performance of Snort throughput. We show that a small budget value of 14 gives the best Snort performance in terms of packet loss both at Kernel subsystem and at the application level. Furthermore, we compare our results to those reported in the literature, and we show that our enhancement through tuning certain parameters yield superior performance.

Location

Room C9 (Aman Tower, 3rd floor)

Session Theme

Technical Papers Session VI - Networks

Session Type

Parallel Technical Session

Session Chair

Dr. Syed Hyder Abbas Musavi

Start Date

17-11-2019 2:20 PM

End Date

17-11-2019 2:40 PM

Share

COinS
 
Nov 17th, 2:20 PM Nov 17th, 2:40 PM

Technical Papers Session VI: Performance enhancement of Snort ids through Kernel modification

Room C9 (Aman Tower, 3rd floor)

Performance and improved packet handling capacity against high traffic load are important requirements for an effective intrusion detection system (IDS). Snort is one of the most popular open-source intrusion detection system which runs on Linux. This research article discusses ways of enhancing the performance of Snort by modifying Linux key parameters related to NAPI packet reception mechanism within the Linux kernel networking subsystem. Our enhancement overcomes the current limitations related to NAPI throughput. We experimentally demonstrate that current default budget B value of 300 does not yield the best performance of Snort throughput. We show that a small budget value of 14 gives the best Snort performance in terms of packet loss both at Kernel subsystem and at the application level. Furthermore, we compare our results to those reported in the literature, and we show that our enhancement through tuning certain parameters yield superior performance.