LASSP: A logic analyzer for tweaking snort security and performance

Snort, an intrusion detection/prevention system (IDS/IPS), performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect a variety of attacks and probes. When snort is running in intrusion detection mode, it allows the user to analyze network traffic against s user defined set of rules. A rich set of rules is easily available which allows a non-expert of security to use snort for his network protection with a false sense of confidence. Snort rules are quite large in size and number thus adding or deleting rules without a proper understanding may lead to an unsecure environment. Moreover enabling all rules in the list in snort configuration might enable security but can cause severe performance degradation. We have developed a system that infers security and performance levels of snort by analyzing its configuration and the snort rules that are enabled. This system may facilitate a non-expert of security to automatically tweak the security and performance levels of his network and to configure it according to the organizational policy.