IDS mailing list archives

Re: Local Mirror Prevention with IDS

From: Jason <security () brvenik com>
Date: Thu, 23 Dec 2004 22:50:59 -0500

If the goal is to stop someone then you need to be able to get inline orhave automated controls on the web server. If you can get inline or evenpassive with snort then you can do a bunch of things with differinglevels of success.

1) On the main page, and all sub pages, embedded in whitespace, place alink the same color as the background, anchored by a 1x1 image.


2) use a robots.txt

3) Use hidden text links in the content.

4) Watch for user agents of known spider tools

Then write rules to look for all of this activity. If you get inline youcan drop or reject the requests and continue to do so for a period oftime. If passive you can use something like snortsam to shun them on thelocal firewall or the border routers...

If your goal is bandwidth limitation for offenders there are bettertools available but you should be able to use snortsam to affect thatchange too.

None of this will be perfect though and you should be suspect of anytechnology that claims to be able to identify and handle this situationperfectly.


Michael Boman wrote:

On Fri, 17 Dec 2004 14:38:16 +0200, Dimitrios Patsos <dpat () space gr> wrote:

Hi!

Can anybody provide some help on how can we prevent a user from making a
local mirror of a web site by using both host & network IDS?

Thank you in advance.



A similar request came up on snort-users about two weeks ago. The
answer is archived at
http://sourceforge.net/mailarchive/message.php?msg_id=10258872

Best regards
 Michael Boman

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------

Current thread:

Local Mirror Prevention with IDS Dimitrios Patsos (Dec 20)
- Re: Local Mirror Prevention with IDS Michal Melewski (Dec 23)
- Re: Local Mirror Prevention with IDS Kevin Johnson (Dec 23)
- Re: Local Mirror Prevention with IDS Kevin (Dec 23)
- Re: Local Mirror Prevention with IDS Michael Boman (Dec 23)
  - Re: Local Mirror Prevention with IDS Jason (Dec 27)
- Re: Local Mirror Prevention with IDS Kyle Maxwell (Dec 23)