Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: Local Mirror Prevention with IDS
From: Jason <security () brvenik com>
Date: Thu, 23 Dec 2004 22:50:59 -0500
If the goal is to stop someone then you need to be able to get inline or have automated controls on the web server. If you can get inline or even passive with snort then you can do a bunch of things with differing levels of success.
1) On the main page, and all sub pages, embedded in whitespace, place a link the same color as the background, anchored by a 1x1 image. 

2) use a robots.txt

3) Use hidden text links in the content.

4) Watch for user agents of known spider tools
Then write rules to look for all of this activity. If you get inline you can drop or reject the requests and continue to do so for a period of time. If passive you can use something like snortsam to shun them on the local firewall or the border routers...
If your goal is bandwidth limitation for offenders there are better tools available but you should be able to use snortsam to affect that change too.
None of this will be perfect though and you should be suspect of any technology that claims to be able to identify and handle this situation perfectly. 

Michael Boman wrote:

On Fri, 17 Dec 2004 14:38:16 +0200, Dimitrios Patsos <dpat () space gr> wrote:


Hi!

Can anybody provide some help on how can we prevent a user from making a
local mirror of a web site by using both host & network IDS?

Thank you in advance.



A similar request came up on snort-users about two weeks ago. The
answer is archived at
http://sourceforge.net/mailarchive/message.php?msg_id=10258872

Best regards
 Michael Boman

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]