[Snort-users] monitoring who is monitoring you with snort (just a bit off topic)

Brian Caswell bmc at ...312...
Fri Nov 24 19:52:50 EST 2000


mike johnson wrote:
> has anyone tried to build rules to monitor what some of the marketing
> companies are gathering about you as you browse the internet?  companies
> like doubleclick, alexa, exactis, digital impact, responsys.
> 
> this could be a whole new use for snort.  granted, not the primary function
> of snort, but a very useful use for home users.

Well, I would prefer to use something that would parse the HTML a bit
better.  
There are many ways to hide "webbugs" into pages.  The best one I have
seen was
as follows.  A 1x1 GIF was included into an HTML file, but the GIF was
actually 6x2
of invisable.  It was included by an <img src=something.html> that had a
stylesheet
that set the max size for the GIF to 1x1.  Its too bad that most
browsers (well, all 
that I know of) would not render it.  Browsers would go to the page
though...

AdZap [0] has done a decent job at getting many of the lame web ads,
banners, and 
javascript put in by organizations that want to track you. Since
everyone should 
be using a caching proxy server, adding in something like AdZap would be
fairly
easy.  Then just log everything from "AdZap" to your IDS logs.  

Of course, if you do something silly like browse CNN.com your logs will
grow huge
quickly.

[0] http://www.zip.com.au/~cs/adzap/index.html

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list