i d s r e s e a r c h . o r g  ::  about intrusion detection    a b o u t  
   
   
   
   
   
   
   
   
   
   
 -: m e n u :- 
 +  home
 +  projects
   papers
 +  code
 +  links
Papers
 
    
Optimizing Pattern Matching for Intrusion Detection  ::  updated 7.4.2004
Marc Norton
This paper presents important characteristics of IDS pattern matchers and explains why some pattern matching algorithms are preferrable to others. Norton also presents new pattern matching technology based on the traditional Aho-Corasick algorithm and compares the performance against standard multi-pattern matching algorithms.


HTTP IDS Evasions Revisited  ::  updated 8.1.2003
Daniel Roelker
This paper explains and illustrates both general and specific HTTP IDS evasions. The differences between protocol-based IDSs and pattern matching IDSs are explained, along with the various URL encoding and obfuscations. HTTP protocol based evasions are also described and illustrated.


Snort™ Multi-Rule Inspection Engine  ::  updated 8.12.2003
Marc Norton, Daniel Roelker
This paper explains the design of the Snort 2.0 high-speed detection engine.


Snort™ Rule Optimizer  ::  updated 8.12.2003
Marc Norton, Daniel Roelker
This paper explains the design of the Snort 2.0 rule optimizer. The rule optimizer and the high-speed detection engine make up the core of the Snort 2.0 detection engine.


Snort™ Protocol Flow Analyzer  ::  updated 8.12.2003
Marc Norton, Daniel Roelker
This paper explains the concepts behind protocol flow analysis and it's effect on IDS systems. Currently, Snort 2.0 has an HTTP protocol flow analyzer, but the concepts in this paper can be applied to any application protocol.