[Snort-users] tracking 'legitimate' traffic

John Hally JHally at ...5637...
Mon Oct 28 08:59:03 EST 2002


I'm wondering if anyone else has run into this.  I've seen a jump in link
checker robots that request legitimate docs/files/etc, only at high rates
per second.  The problem I'm having is that because the traffic is
legitimate, there's nothing to key on that sets it apart from other traffic,
other than the rate at which its requested.  I'm curious if anyone has
played around with any preprocessors to check for something like ip
addresses/rate of requests, or something to that effect.  I realize
mega-proxies can cause false positives, but they could be recorded and
allowed to pass through.

Any ideas?

Thanks in Advance.

John Hally
Network Admin.
EBSCO Publishing

More information about the Snort-users mailing list