IDS mailing list archives
Re: Local Mirror Prevention with IDS
From: Jason <security () brvenik com>
Date: Thu, 23 Dec 2004 22:50:59 -0500
If the goal is to stop someone then you need to be able to get inline or have automated controls on the web server. If you can get inline or even passive with snort then you can do a bunch of things with differing levels of success.
1) On the main page, and all sub pages, embedded in whitespace, place a link the same color as the background, anchored by a 1x1 image.
2) use a robots.txt 3) Use hidden text links in the content. 4) Watch for user agents of known spider toolsThen write rules to look for all of this activity. If you get inline you can drop or reject the requests and continue to do so for a period of time. If passive you can use something like snortsam to shun them on the local firewall or the border routers...
If your goal is bandwidth limitation for offenders there are better tools available but you should be able to use snortsam to affect that change too.
None of this will be perfect though and you should be suspect of any technology that claims to be able to identify and handle this situation perfectly.
Michael Boman wrote:
On Fri, 17 Dec 2004 14:38:16 +0200, Dimitrios Patsos <dpat () space gr> wrote:Hi! Can anybody provide some help on how can we prevent a user from making a local mirror of a web site by using both host & network IDS? Thank you in advance.A similar request came up on snort-users about two weeks ago. The answer is archived at http://sourceforge.net/mailarchive/message.php?msg_id=10258872 Best regards Michael Boman -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.--------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Local Mirror Prevention with IDS Dimitrios Patsos (Dec 20)
- Re: Local Mirror Prevention with IDS Michal Melewski (Dec 23)
- Re: Local Mirror Prevention with IDS Kevin Johnson (Dec 23)
- Re: Local Mirror Prevention with IDS Kevin (Dec 23)
- Re: Local Mirror Prevention with IDS Michael Boman (Dec 23)
- Re: Local Mirror Prevention with IDS Jason (Dec 27)
- Re: Local Mirror Prevention with IDS Kyle Maxwell (Dec 23)