I'm not sure if this is possible, but I have a situation where I'm trying to identify an attacker who is constantly screen scraping my website. The challenge is that the attacker's traffic is first sent to a CDM so the source IP is modified before it gets to me. The CDM inserts a response header (X-Client-IP) into the HTTP request containg the the source address of the attacker.
attacker <-> CDM <-> my web server
How would I (or is it even possible) create a custom sig to look at the incoming response header "X-Client-IP" to identify 20 hits from the same attacker in 1 minute? The attackers address could change at any time, so I can't hard code his IP in the signature's "request regex" variable. I need the system to keep track of all incoming request headers and identify anyone who trips the 20 hit limit.
Thanks in advance!