[K12OSN] Traffic monitoring

[Chris Hobbs <chobbs silvervalley k12 ca us>]

Hi All,

I attended the California Educational Technology Professional 
Association (CETPA) Annual Meeting/Convention last week, and now have 
some new ideas for our district, but as always, I'm looking for free 
solutions.

One of the products I looked at (begrudgingly[1]) was a traffic 
monitoring and reporting solution from LightSpeed Systems. Basically, it 
monitors all traffic in/outbound, and reports on what it deems 
inappropriate. This goes beyond web filtering, as it has the capacity to 
look for inapppropriate content in instant messaging, e-mail (SMTP as 
well as web), p2p file sharing, etc. It's big plus is ease of use and 
nice reporting (anyone who has ever had to explain a squid log to a 
superintendent or HR director can understand the importance of this). If 
you're interested in seeing an example of the reporting, you can check 
it out at <http://reports4.lightspeedsystems.com/>, assuming you have IE 
since it requires it :( The price for the box and software would be 
$10K, with another $2K annually for maintenance - not cheap.

One feature that caught my ear was its ability to use Snort rules 
natively, which means the next worm that comes around, you can easily 
drop in a quick snort rule from your favorite mailing lists - pretty slick.

Of course, when I heard that, I immediately wondered if we couldn't skip 
the middle-man and just use snort itself. It's been awhile since I've 
played with it, so I installed the latest version this weekend at home, 
and looked around.

Sure enough, there is a short rule file called porn.rules. There are 
also policy.rules for things like IM, though not content specific.

ACID exists for reporting, though more involved reports might be 
possible with other tools, such as Access or Crystal Reports, since 
snort can log to a sql server.

So in short, it looks doable. My question is whether anyone is already 
doing so - snort is obviously designed to work as an intrusion detection 
system, which explains its dearth of policy and porn rules. Has anyone 
seen more complete lists of snort rules out there that might be more 
appropriate for monitoring a school network?

Thanks for the input!

[1] I have no desire to be Big Brother. However, we have had incidnets 
that demanded investigation. I'm sure there are many more that should 
have been caught. While I have no desire to be the "network nazi", I do 
belive the school network should be used for school activities. We are 
nearing our current bandwidth limits, and I bet curtailing inappropriate 
use would save us the cost of upgrading our pipe.

--
Chris Hobbs       Silver Valley Unified School District
Head geek:              Technology Services Coordinator
webmaster:   http://www.silvervalley.k12.ca.us/~chobbs/
postmaster:               chobbs silvervalley k12 ca us
pgp:  http://www.silvervalley.k12.ca.us/~chobbs/key.asc