摘要： Snort系统根据规则链表对捕获的数据包进行匹配，以发现攻击行为，规则链表结构的合理性在很大程度上影响检测速度。针对Snort规则链表结构中局部聚集的现象，对其按共性选项因式分解，将规则按所含选项的信息量进一步排序。在仿真平台OPNET上的模拟结果表明，改进后的规则链表结构能减少规则匹配时间。

关键词: 误用入侵检测, 规则链表, 因式分解, 网络仿真

Abstract: For finding attacks, Snort matches the captured packets with rule chains, therefore the rationality of the rule chains influences the detection speed of Snort greatly. This paper factors out common options from the rule chains, for solving the problem of local accumulation. It sorts the rules according to information quantity of the options. Simulation results of the OPNET shows that the improved rule chains structure can reduce the time of rules matching.

Key words: misuse intrusion detection, rule chains, factoring, network simulation

中图分类号: 

• TP393.08