在本論文中我們提出一個分析疑似入侵攻擊法則的方法,當有疑似攻擊時,使得各台機器被分配的法則處理負荷降低並且能夠平均化。所使用的入侵偵測軟體—Snort2.2.0。 Snort將近有三千條的法則,在將這麼多條的法則中,如何挑選法則分配至各台Snort中。利用Snort比對封包的順序作為依據,並且對法則依照此順序作排序,再平均分配法至多台Snort中。當然,有可能每台機器處理的速度不一致,造成某幾台處理負荷過重,無法平均工作的負荷,所以,給予每條法則權重(weight),處理速度較快的機器處理權重較高的法則,反之,處理速度較慢的機器處理權重較低的法則。也將利用Snort Rule Header作為分類Rule類別的依據,Snort法則利用類別及法則權重平均分配至各台機器。 如何給予法則權重以及此演算法所造成的影響提出討論。
In this paper, we propose a method to analyze the rule of intrusion. When having the intrusion, each snort sensor detect the intrusion according to its rules and can balance cpu loading between snort sensor. And we use the snort-verion 2.2.0. Snort has almost three thousand rules about intrusion signature. As many rules, and we how to pick rules to each snort sensor. According to the order of snort against packets, and sort with this order, then dispatch rules to snort sensor equally. Of course, each sensor’s ability is different, may cause some sensor are overloaded, couldn’t balance between snort sensor. So, give the weight to each rule, the snort sensor with higher ability would be dispatched the heavier rule. On the other hand, snort sensor with lower ability would be dispatched the lighter rule. And we also classify the snort rule according to Snort Rule Header. Snort rules would be dispatched to each snort sensor equally. Finally, we will illustrate how to give the rule weight and the influence about the algorithm.