Visible to the public An IDS Rule Redundancy Verification

TitleAn IDS Rule Redundancy Verification
Publication TypeConference Paper
Year of Publication2020
AuthorsNoiprasong, P., Khurat, A.
Conference Name2020 17th International Joint Conference on Computer Science and Software Engineering (JCSSE)
Keywordsanomaly network traffics, commented rules, composability, computer network security, IDS, IDS rule redundancy verification, IDS rule verification, intrusion detection system, IP networks, network security software, open-source IDS system, Payloads, Protocols, pubcrawl, public rulesets, Redundancy, resilience, Resiliency, Semantics, Snort, Snort community, Snort rule combinations, Syntactics, telecommunication traffic, Tools
AbstractIntrusion Detection System (IDS) is a network security software and hardware widely used to detect anomaly network traffics by comparing the traffics against rules specified beforehand. Snort is one of the most famous open-source IDS system. To write a rule, Snort specifies structure and values in Snort manual. This specification is expressive enough to write in different way with the same meaning. If there are rule redundancy, it could distract performance. We, thus, propose a proof of semantical issues for Snort rule and found four pairs of Snort rule combinations that can cause redundancy. In addition, we create a tool to verify such redundancy between two rules on the public rulesets from Snort community and Emerging threat. As a result of our test, we found several redundancy issues in public rulesets if the user enables commented rules.
Citation Keynoiprasong_ids_2020