IDS mailing list archives
Re: Local Mirror Prevention with IDS
From: Kyle Maxwell <krmaxwell () gmail com>
Date: Tue, 21 Dec 2004 15:25:45 -0600
On Fri, 17 Dec 2004 14:38:16 +0200, Dimitrios Patsos <dpat () space gr> wrote:
Can anybody provide some help on how can we prevent a user from making a local mirror of a web site by using both host & network IDS?
I'm not sure that either technology is well-suited to the task that you're laying out. You could (maybe) use NIDS to *detect* a user mirroring a site -- if he was doing so at a high rate -- but this would be more easily spotted in the web server logs. You have a fundamental problem here: a user can slowly build up the mirror, and since all the material is publicly available for them to access, you need more specific criteria for the accesses you want to prevent. What are you really trying to prevent? It's not just "making a local mirror", it must be something slightly higher-level. Once you know that, you can better decide what countermeasures you need to take. -- Kyle Maxwell [krmaxwell () gmail com] -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Local Mirror Prevention with IDS Dimitrios Patsos (Dec 20)
- Re: Local Mirror Prevention with IDS Michal Melewski (Dec 23)
- Re: Local Mirror Prevention with IDS Kevin Johnson (Dec 23)
- Re: Local Mirror Prevention with IDS Kevin (Dec 23)
- Re: Local Mirror Prevention with IDS Michael Boman (Dec 23)
- Re: Local Mirror Prevention with IDS Jason (Dec 27)
- Re: Local Mirror Prevention with IDS Kyle Maxwell (Dec 23)