Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » leeching question?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

leeching question?


Posted by dancs on August 15, 2005 05:16:06

Hi,

I posted a question on the newbies section.. but I didn't get much response.. so I thought I'd give the advanced section a try.

I was just wondering if there are any rules that can detect leeching off of a website. We have issues from time to time where a user in our organization will attempt to download a certain number of pdf files off of a webserver outside our network, within a small amount of time. We then have to spend a ton of time doing forensic investigations on the host machine. It would be nice to catch this type of activity in realtime.

If anyone has any idea on how to detect this, it would be greatly appreciated. For example, could it be possible to detect 10 pdf download requests within a two minute period? -- or something to that effect..

Thanks in advance to any who can help,

D.C.

Posted by roesch on August 18, 2005 20:06:12

Yeah, use thresholding and pcre to look for *.pdf requests. Check out the README.thresholding file...


site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.