Accelerating snort NIDS using NetFPGA-based Bloom filter

Abstract

In recent years, network intrusion detection systems (NIDS) have faced a serious throughput challenge as a result of the rapid increase of network links to 1 and 10 Gbps rates. Consequently, this calls for NIDS to have wire-speed packet processing and real-time detection of malicious traffic. Snort is the most popular NIDS. Snort is an open source software-based NIDS and runs as a single threaded application. Snort processing and detection capabilities can be limited in networks with 1 and 10 Gbps network links. To overcome such a limitation, we present a design and implementation of two layer NIDS for accelerating Snort detection. The design combines hardware and software components whereby Snort operates as the second line of defense after hardware-assisted inspection of packet headers. In our design, Snort's frequently used rules are offloaded from Snort to a NetFPGA-based hardware layer. The NetFPGA implementation is based on Bloom filter to analyze and filter incoming packets with header fields matching those of frequently used rules. The second line of defense will dynamically offload the most frequently triggered rules to the NetFPGA and will only be executed if deep packet analysis is required for the incoming packet. The experimental results show a significant improvement in the CPU usage and an enormous reduction in packet loss when using Snort with NetFPGA filtering.