In the field of network security, computerized tools are often used to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. A network intrusion detection system (NIDS) is an example of a computerized network security tool—which can be implemented as a networked device or software application—that monitors a network or systems for detecting malicious activity or policy violations. A network intrusion prevention system (NIPS) is another example of a computerized network security tool—which can be implemented as a networked device or software application—that aims to prevent such malicious activity or policy violations. These computerized network security tools are collectively referred to herein as network security systems.
Snort is an open source network security system that can, in different modes, read and display network packets on Internet Protocol (IP) networks (sniffing); log network packets (packet logging); and monitor and analyze network traffic (intrusion detection). Snort is known to those skilled in the network security art and thus is not further described herein for the sake of brevity.
A network security system such as Snort is generally programmed to detect certain events (referred to as Snort events) in a computer network and send out security alerts to human network security analysts. A human network security analyst may review Snort event data that triggered a security alert and determine whether or not to escalate to the management of the computer network under monitoring. Given the massive amounts of Snort event data that may come through a network security system at any given time, as well as the improbability for human network security analysts to catch all potential cyber attacks, there is room for innovations and improvement.