VisSRA: Visualizing Snort Rules and Alerts

Snort is a rule-based intrusion detection system, applying defined rules to inspect suspicious packets in network. An alert will be generated if an alert rule is triggered. Analysis of the relation between rules and alerts can help network administrators to analyze alerts easily so as to identify network attacks. The aim of this work is to develop a visualization tool that can be used to view the rules and alerts in visualization. The proposed visualization tool, which is called VisSRA, also can be used to find the relation between rules and alerts, view the number of alerts triggered by a rule and check the alerts quickly. Tree maps were used to visualize rules Snort contains and alerts Snort generates which are shown as cells with different colors. The system uses the graphical and statistical manners to allow even novices to get an overview of network state. In this paper, an experiment was given to show the proposed approach could bring some convenience of browsing and analyzing network anomalies to administrators.