Buidling IDS / IPS on existing Elasticsearch cluster using Snort

[Shivkumar Mallesappa via Snort-users <snort-users () lists snort org>]

I am new to this technology (snort). I have basic one line understanding
that it is a open source IDS (correct me if I am wrong). I have some
experience with ELK stack. I have my Elasticsearch cluster ready with
around 50 GB of data.

My question is , can I use snort on my current Elasticsearch cluster as
IDS. Basically I have parsed my log and it is stored on Elasticsearch with
some fields like IP, GEO_LOCATION (City name) etc, so can I use snort to
read my current Elasticsearch cluster data and notify me if a suspicious
activity/record is found.

If not snort , is there any other open source tool available to achieve the
above use case.

I hope I am clear with my query.

Thank you.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette