Since the time of Denning's2 model for the intrusion detection system (IDS), the system that laid the basis for most modern IDSes, intrusion detection technologies have grown in both complexity and sophistication. Yet challenges related to accuracy, management, and the detection of new attacks abound. This work focuses on the management issue. Specifically, it addresses the problem of determining the enabled and disabled states of rules in a rule-based IDS. Knowing the state of a rule in this regard is important because a rule-based IDS can detect a particular event only if it has a rule to detect that event and that rule is enabled. This work develops an algorithm to monitor the enabled/disabled state of rules of a signature based IDS. Given a particular action that a rule would execute when invoked, the algorithm proceeds as follows: (1) it searches through each of the rule sets (sets of rules having similar characteristics) for rules bearing the given action, (2) for each such rule, it determines whether that rule is enabled or disabled, and (3) for each rule set, it reports the total number of enabled and disabled rules, and creates two files containing the line numbers from the rule set where each enabled and disabled rule, respectively, could be found. The algorithm is implemented in Python and is ran against Snort as a test case. Statistical results were obtained and the following are some of the findings: (a) the vast majority of rules are inactive by default, (b) of all the actions that could be taken when a rule is invoked, the ALERT action far outpaced its counterparts, and (c) from the rule versions that were examined, it was found that the number of rules are growing significantly.
Turner, C., Jeremiah, R., Richards, D., & Joseph, A. (2016). A Rule Status Monitoring Algorithm for Rule-Based Intrusion Detection and Prevention Systems. In Procedia Computer Science (Vol. 95, pp. 361–368). Elsevier B.V. https://doi.org/10.1016/j.procs.2016.09.346