On Tue, Aug 31, 2004 at 10:21:06PM +0200, Jose Maria Lopez wrote:
Maybe I'm wrong but you would get the performance benefits of having the
traffic compressed if what you want it's to save bandwidth in your
internet connection, because the 'gunzip' would be done in your local
network, where it shouldn't matter to have more traffic. So the proxy
option could be a good option.
I don't know off the top of my head if any do that. I know Squid can remove
the "Accept-Encoding.." field from outgoing HTTP links - so that the
end-server just sends back the data uncompressed, but I don't know if it
could "pretend" it was incapable to compressing to the client, but actually
do it to the server...
Also, that would imply you have your IDS *behind* your proxy - most tend to
have them out on the edge of their networks.
OTOH, we've taken to installing Snort on our proxy servers - as there are
just too many things being hidden by the proxies! It's pretty hard to track
down a trojan downloaded onto an internal box when all that Snort can tell
you is "the proxy did it" :-/
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
