[Snort-users] Is there a way for Snort to detect large http downloads?

Jon Baer security at ...9153...
Tue Jul 13 18:56:02 EDT 2004


You'd probably want ntop in this situation ... www.ntop.org and then 
curb it off with wondershaper.

- Jon

Jason Truong wrote:
> Is there a rule in Snort that can help to alert when a user it downloading a very large file from the internet...via http or ftp?
> We have a 9mb pipe out to the internet and sometimes I get alerts (from Nagios) mentioning that the pipe if full.  I have already disabled P2P applications at the firewall level.  I can resort to making configs on the Cisco level but was wondering if there was a way for Snort to alert on large downloads.
> 
> Large can be say > 50 MB.
> 
> Thanks,
> 
> Jason 




More information about the Snort-users mailing list