Re: Local Mirror Prevention with IDS

[Kyle Maxwell <krmaxwell () gmail com>]

On Fri, 17 Dec 2004 14:38:16 +0200, Dimitrios Patsos <dpat () space gr> wrote:
> Can anybody provide some help on how can we prevent a user from making a
> local mirror of a web site by using both host & network IDS?

I'm not sure that either technology is well-suited to the task that
you're laying out. You could (maybe) use NIDS to *detect* a user
mirroring a site -- if he was doing so at a high rate -- but this
would be more easily spotted in the web server logs.

You have a fundamental problem here: a user can slowly build up the
mirror, and since all the material is publicly available for them to
access, you need more specific criteria for the accesses you want to
prevent. What are you really trying to prevent? It's not just "making
a local mirror", it must be something slightly higher-level. Once you
know that, you can better decide what countermeasures you need to
take.

-- 
Kyle Maxwell
[krmaxwell () gmail com]

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------