[Snort-users] Is there a way for Snort to detect large http downloads?

Jason Truong Jason.Truong at ...10396...
Tue Jul 13 12:35:07 EDT 2004


Is there a rule in Snort that can help to alert when a user it downloading a very large file from the internet...via http or ftp?
We have a 9mb pipe out to the internet and sometimes I get alerts (from Nagios) mentioning that the pipe if full.  I have already disabled P2P applications at the firewall level.  I can resort to making configs on the Cisco level but was wondering if there was a way for Snort to alert on large downloads.

Large can be say > 50 MB.

Thanks,

Jason 




More information about the Snort-users mailing list