Technical Papers Session VI: Performance enhancement of Snort ids through Kernel modification
Abstract/Description
Performance and improved packet handling capacity against high traffic load are important requirements for an effective intrusion detection system (IDS). Snort is one of the most popular open-source intrusion detection system which runs on Linux. This research article discusses ways of enhancing the performance of Snort by modifying Linux key parameters related to NAPI packet reception mechanism within the Linux kernel networking subsystem. Our enhancement overcomes the current limitations related to NAPI throughput. We experimentally demonstrate that current default budget B value of 300 does not yield the best performance of Snort throughput. We show that a small budget value of 14 gives the best Snort performance in terms of packet loss both at Kernel subsystem and at the application level. Furthermore, we compare our results to those reported in the literature, and we show that our enhancement through tuning certain parameters yield superior performance.
Keywords
Intrusion detection, Snort packet handling capacity, Kernel modifications, Performance enhancement metrics
Location
Room C9 (Aman Tower, 3rd floor)
Session Theme
Technical Papers Session VI - Networks
Session Type
Parallel Technical Session
Session Chair
Dr. Syed Hyder Abbas Musavi
Start Date
17-11-2019 2:20 PM
End Date
17-11-2019 2:40 PM
Recommended Citation
Changazi, S. A., Shafi, I., Saleh, K., Islam, M. H., Hussainn, S. M., & Ali, A. (2019). Technical Papers Session VI: Performance enhancement of Snort ids through Kernel modification. International Conference on Information and Communication Technologies. Retrieved from https://ir.iba.edu.pk/icict/2019/2019/43
COinS
Technical Papers Session VI: Performance enhancement of Snort ids through Kernel modification
Room C9 (Aman Tower, 3rd floor)
Performance and improved packet handling capacity against high traffic load are important requirements for an effective intrusion detection system (IDS). Snort is one of the most popular open-source intrusion detection system which runs on Linux. This research article discusses ways of enhancing the performance of Snort by modifying Linux key parameters related to NAPI packet reception mechanism within the Linux kernel networking subsystem. Our enhancement overcomes the current limitations related to NAPI throughput. We experimentally demonstrate that current default budget B value of 300 does not yield the best performance of Snort throughput. We show that a small budget value of 14 gives the best Snort performance in terms of packet loss both at Kernel subsystem and at the application level. Furthermore, we compare our results to those reported in the literature, and we show that our enhancement through tuning certain parameters yield superior performance.