tracking 'legitimate' traffic

[John Hally <JHally () epnet com>]

Hello,

I'm wondering if anyone else has run into this.  I've seen a jump in link
checker robots that request legitimate docs/files/etc, only at high rates
per second.  The problem I'm having is that because the traffic is
legitimate, there's nothing to key on that sets it apart from other traffic,
other than the rate at which its requested.  I'm curious if anyone has
played around with any preprocessors to check for something like ip
addresses/rate of requests, or something to that effect.  I realize
mega-proxies can cause false positives, but they could be recorded and
allowed to pass through.

Any ideas?


Thanks in Advance.

John Hally
Network Admin.
EBSCO Publishing


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users