A Lightweight Estimation Algorithm To Auto Configure Snort Fast Pattern Matcher

With the emergence of Network Function Virtualization (NFV) technology, researchers start to implement typical software Intrusion detection Systems (IDS) as Virtual Network Function (VNF) to improve the scalability of IDS deployment. Determining the setups and configurations of every instance to optimize VNF performance is one of the core challenges in NFV scenario. Previous researches mainly focus on how IDS performs under different Virtual Machine (VM) setups and just load its default configuration. However, when loading different rulesets and running IDS under different VM setups, the default configuration may not always lead to optimal performance. In this paper, we focus on the configuration problem of Snort. We propose a lightweight estimation algorithm to auto configure the most performance-related part of Snort – Fast Pattern Matcher (FPM). We firstly explore how those options make influence on Snort’s packet detection by several measurement experiments. Then we summarize some basic principles to design our auto configuration algorithm. At last, we implement the algorithm to evaluate its accuracy and efficiency. The result shows our algorithm can seek a better configuration than the default one in various situations; in the meanwhile, it just takes a few seconds to run the algorithm, which is important if we want to import an auto configuration modular into NFV dynamic and elastic scheduling strategy.