Evaluating the effectiveness of free rule sets for Snort

Abstract: As more of the modern world is connected to the Internet, threats can reach further than ever before. Attacks happen all the time and many have serious consequences that disrupts the daily processes of people and companies, possibly causing lasting damage. To fight back, defensive tools are used to find and counter attacks. One of these tools is Snort. Snort finds malicious data packets and warns the user and counters the found attack. Snort relies on a list of signatures of different attacks, called a rule set, to know what is malicious. Many rule sets are available as paid subscriptions, but there are free alternatives. But how well can Snort defend a network using these free rule sets? By designing a network for experimentation and populating it with realistic background traffic, a group of rule sets are evaluated using a set of common attacks and tools. The performance hit when defending in a high speed, high bandwidth environment is evaluated as well. The results favour the Emerging Threats rule set. As for performance, Snort could not handle the most extreme amounts of traffic, with the rate of dropped packets making security dubious, but that occurred at the absolute peak of what consumer hardware can provide.