Automatic Classification and Detection of Snort Configuration Anomalies - a Formal Approach

IDSs are core elements in network security. The effectiveness of security protection provided by an IDS mainly depends on the quality of its configuration. Unfortunately, configuring an IDS is work-intensive and error prone if performed manually. As a result, there is a high demand for analyzing and discovering automatically anomalies that can arise between rules. In this paper, we present (1) a new classification of anomalies between IDS rules, (2) three inference systems allowing automatic anomaly detection for discovering rule conflicts or redundancies and potential problems in IDS configuration, (3) optimization of IDS rules by removing automatically redundant rules and (4) formal specification and validation of these techniques and demonstration of the advantages of proposed approach on the sets of rules provided by open source Snort IDS. These techniques have been implemented and we proved the correctness of our method and demonstrated its applicability and scalability. The first results we obtained are very promising.