Advanced Computing: An International Journal ( ACIJ ), Vol.3, No.3, May 2012 DOI : 10.5121/acij.2012.3312 119         Gaurav Raj 1 , Munish Katoch 2 1 Asst. Prof. , Lovely Professional University, 1 er.gaurav.raj@gmail.com, 2 M. Tech. Student, Lovely Professional University, Phagwara. 2 munishkatoch710@gmail.com ABSTRACT With invention of new tools and technologies, the attackers are designing new methods to evade present security models. One of such security models is Intrusion detections. Intrusion detection systems work on signature based analysis and anomaly based detection, which makes it vulnerable for new evasion techniques. This work describes the mitigation of evasion techniques by implementation of better PCRE based rules approach.IN this paper we are designing improved PCRE based rules to prevent evasion techniques on cloud systems. KEYWORDS Cloud Computing, PCRE Signature, Virtual Machine 1. INTRODUCTION Intrusion detection is the process of monitoring and analysing the events occurring in a computer system or network for signs of possible incidents. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection Systems and Intrusion prevention systems (IDS/ IPS) are primarily focused on identifying possible incidents, logging information about incidents, attempting to stop them, and reporting them to security administrator. We set the platform to implement IDS and IPS system over Ubuntu (Linux version) with the help of Snort as an IDS and IPS engine. We are using BASE and Aanval as real-time network monitoring frontends. To store alerts and logs we use Mysql as a central database. Apache server is also required for running frontend server. As we are setting up these systems on Cloud, we need to implement them on virtual machines so we implement virtual environment for attack detection and traffic analysis using VMWARE. Bind server used for providing DNS services for client and setting up Ubuntu desktop as a gateway system. Backtrack 5 is used as an attacking windows host as victim host. 1.1 Snort as IDS/IPS The Snort is open source intrusion detection and prevention technology. Snort uses a rule- driven language which combines the benefits of signature, protocol and anomaly-based inspection methods. As an IDS and IPS, It can perform real-time packet analysis and logging on network. Protocol analysis and content searching/matching are the most powerful features of snort which can be used to detect variety of attacks such as buffer overflow, stealth port scans, SMB probes, OS footprinting etc. Snort can be configured for three different modes:- a) Sniffer b) Packet logger c) Network intrusion detector The Sniffer mode gets real-time traffic from the network and simply display's it on the console whereas the Packet logger mode is used where we need to store the real time traffic into the