Custom Development Question

[John Gomez <john.gomez () mac com>]

Greetings - 

I am hopeful you can point me in the right direction and apologize upfront if this is a stupid question, but I am new 
to the world of IDS and network traffic analysis.  

I have been asked to develop an application that allows an organization to better understand who is looking at what 
information, so that they can determine why that activity is occurring.  Currently most of the applications being used 
would live within the enterprise network but there area also some applications that would live on the Internet, 
especially social media sites.  For purposes of this example, let’s pretend there is an application called “Excelsior” 
and users can log into Excelsior and lookup a client’s credit history.  In our use case we want to detect that an 
employee (Mary) who lives near a client (Sam) decided to just look at their credit history, which includes Sam's most 
recent purchases over the last 90 days.  

What my app needs to do, hopefully by using Snort, is detect that the credit history lookup took place by examining the 
network traffic, as well as who performed the activity, in this case Mary and on what client’s record - in this case 
Sam’s record.  Once this violation is detected we would want our application to be notified so we can then provide an 
alert to our client via a custom interface.  Typically, our clients have about 400 different systems in their 
enterprise, all of which could violate privacy rules, so although we could examine log data for each application, that 
creates latency in the analysis and also is a very cumbersome deployment, as there is no standard for the log format or 
storage.  One of our goals is to detect the violation in as close to real time as possible.  

My key questions for you are, firstly can Snort or any IDS do this or should we be developing/using some other 
technology?  

If Snort could do this, what are the limitations or things we would need to be aware of that could keep us from hitting 
our goal of real-time privacy violation detection and alerting?

If Snort is the right answer what partnering options, training and other support is available?  Is there any similar 
solution that is open source that we could learn from?  Is there an API guide or development tutorial?

If Snort is not the right answer would you have any suggestions of how to tackle this challenge? We are looking at Bro, 
Suricata, writing our own PCap/WinPCap, but at the end of the day I really am hopeful Snort is the right solution to 
our challenge.

I look forward to hearing from you - 

John


------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!