Using CLIPS to Detect Network Intrusions

13 years 3 months ago
Using CLIPS to Detect Network Intrusions
We describe how to build a network intrusion detection sensor by slightly modifying NASA’s CLIPS source code introducing some new features. An overview of the system is presented emphasizing the strategies used to inter-operate between the packet capture engine written in C and CLIPS. Some extensions were developed in order to manipulate timestamps, multiple string pattern matching and certainty factors. Several Snort functions and plugins were adapted and used for packet decoding and preprocessing. A rule translator was also built to reuse most of the Snort’s attack signatures. Despite some performance drawbacks, results prove that CLIPS can be used for real-time network intrusion detection under certain conditions. Several attack signatures using CLIPS rules are showed in the appendix. By mixing CLIPS with Snort features, it was possible to introduce flexibility and expressiveness to network intrusion detection.
Pedro Alípio, Paulo Carvalho, José N
Added 06 Jul 2010
Updated 06 Jul 2010
Type Conference
Year 2003
Where EPIA
Authors Pedro Alípio, Paulo Carvalho, José Neves
Comments (0)