Using CLIPS to Detect Network Intrusion

Pedro Alípio, Paulo Carvalho, José Neves

Universidade do Minho
Departamento de Informática
P-4710-057 Braga, Portugal

Tel.: +351 253 604430
Fax.: +351 253 604471
E-mail: pmc (at)


This paper shows how to build a network intrusion detection system by slightly modifying NASA's CLIPS source code introducing features such as single and multiple string pattern matching, certainty factors and time-stamp operators. Several Snort functions and plugins were adapted and used for packet decoding and preprocessing to provide the basic requirements for such a system. The integration of CLIPS and Snort features allows the specification of complex stateful network intrusion detection heuristics which can model abstract attack scenarios. To take advantage of the most recent attack signatures, a Snort ruleset translator was also developed. The results show that CLIPS can be useful to follow and correlate intruder activities by monitoring network traffic. Examples of attack signatures using CLIPS rules are also provided.

Lecture Notes in Computer Science, vol 2902, Springer-Verlag, Dec 2003