Check for unusual activity of a network device (C)

I need to write a c program to perform the following algorithm.

1: start

2: detection of network and its related devices( IDPS has a DB and the available devices are supposed to be checked in)

(if ,the device is a valid one but not registered,it sould be entered into the DB)

3:logging of data(attach the following)

         -timestamp

         -priority

         -MAC address

         -channel number

         -ID of the devices

4:detection capability

          - check whether it s authorized

          -check whether its working properly n securely

          -compare anomalities n unu开发者_JAVA技巧sual usage patterns(if any) with the already 
           registered anomalities n patterns pespectively.

            case1:presence-->stop the application

            case2:absence--> continue application

            case3:unusual activity butabsent in the registered
            list--> provoke the user

5:end

any guidlines? (I have no idea how to do it :( )

---

For the first 3 point I'd suggest you to have a look at libpcap (tcpdump/libpcap). For anomaly network activity detection it's a bit more complex, you could have a look at snort and use it like external analysis tool.

---

Writing an intrusion detection/prevention system is a complex subject, beyond what can be answered in a single SO question. However, Bro and Snort both have libraries that will do most of what you ask (logging and detection), and the manuals for Snort show the pseudo-code of how it all works. Bro has an excellent wiki covering it's operation as well.