Along with the fast development of the network technology and the universal application of the network environment, the security problem in network is increasingly outstanding. And as a new security means, intrusion detection techniques have displayed its important role. Snort is one powerful lightweight network intrusion detection system. This paper does deeply research on Snort: at first, describes the feature, architecture and working flow of Snort; then, the implementation of Snort intrusion detection system based on Windows platform is achieved. With MySQL database and analyst control console ACID, intrusion events can be managed efficiently.The fast detection engine of the Snort and the detection engine's pattern match algorithms are especially analyzed in this paper. A new multiple pattern match algorithm based on feature value is raised and applied in Snort. According to the experiments results, the new algorithm can improve the efficiency of Snort detection engine. Then applying protocol state analysis in Snort to detect DDOS which to be a multistep attack is put forward, which uses finite state machine to analyses the state transfer process of protocol, then convert the network attack to a process of protocol state transition. The paper especially discusses the detailed state transition process of TCP three times handshake to strength the ability of Snort to detect syn flood attack. Finally, after sum up the former work, some advice to the future work is given.