[Snort-devel] Custom Development Question

John Gomez john.gomez at ...512...
Mon Jun 23 08:52:16 EDT 2014

Greetings - 

I am hopeful you can point me in the right direction and apologize upfront if this is a stupid question, but I am new to the world of IDS and network traffic analysis.  

I have been asked to develop an application that allows an organization to better understand who is looking at what information, so that they can determine why that activity is occurring.  Currently most of the applications being used would live within the enterprise network but there area also some applications that would live on the Internet, especially social media sites.  For purposes of this example, let’s pretend there is an application called “Excelsior” and users can log into Excelsior and lookup a client’s credit history.  In our use case we want to detect that an employee (Mary) who lives near a client (Sam) decided to just look at their credit history, which includes Sam's most recent purchases over the last 90 days.  

What my app needs to do, hopefully by using Snort, is detect that the credit history lookup took place by examining the network traffic, as well as who performed the activity, in this case Mary and on what client’s record - in this case Sam’s record.  Once this violation is detected we would want our application to be notified so we can then provide an alert to our client via a custom interface.  Typically, our clients have about 400 different systems in their enterprise, all of which could violate privacy rules, so although we could examine log data for each application, that creates latency in the analysis and also is a very cumbersome deployment, as there is no standard for the log format or storage.  One of our goals is to detect the violation in as close to real time as possible.  

My key questions for you are, firstly can Snort or any IDS do this or should we be developing/using some other technology?  

If Snort could do this, what are the limitations or things we would need to be aware of that could keep us from hitting our goal of real-time privacy violation detection and alerting?

If Snort is the right answer what partnering options, training and other support is available?  Is there any similar solution that is open source that we could learn from?  Is there an API guide or development tutorial?

If Snort is not the right answer would you have any suggestions of how to tackle this challenge? We are looking at Bro, Suricata, writing our own PCap/WinPCap, but at the end of the day I really am hopeful Snort is the right solution to our challenge.

I look forward to hearing from you - 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140623/2c23448e/attachment.html>

More information about the Snort-devel mailing list