Snort mailing list archives
tracking 'legitimate' traffic
From: John Hally <JHally () epnet com>
Date: Mon, 28 Oct 2002 11:53:08 -0500
Hello, I'm wondering if anyone else has run into this. I've seen a jump in link checker robots that request legitimate docs/files/etc, only at high rates per second. The problem I'm having is that because the traffic is legitimate, there's nothing to key on that sets it apart from other traffic, other than the rate at which its requested. I'm curious if anyone has played around with any preprocessors to check for something like ip addresses/rate of requests, or something to that effect. I realize mega-proxies can cause false positives, but they could be recorded and allowed to pass through. Any ideas? Thanks in Advance. John Hally Network Admin. EBSCO Publishing ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tracking 'legitimate' traffic John Hally (Oct 28)