Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is there a way for Snort to detect large http downloads?

From: Jon Baer <security () jonbaer net>
Date: Tue, 13 Jul 2004 21:41:28 -0400
You'd probably want ntop in this situation ... www.ntop.org and then curb it off with wondershaper. 

- Jon

Jason Truong wrote:

Is there a rule in Snort that can help to alert when a user it downloading a very large file from the internet...via 
http or ftp?
We have a 9mb pipe out to the internet and sometimes I get alerts (from Nagios) mentioning that the pipe if full.  I 
have already disabled P2P applications at the firewall level.  I can resort to making configs on the Cisco level but 
was wondering if there was a way for Snort to alert on large downloads.

Large can be say > 50 MB.

Thanks,
Jason 


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: