mån 2007-05-28 klockan 14:44 +0100 skrev Markus Moeller:
> So it looks like it could help determining malicious use of proxies even if 
> only few shell commands are executed.
Don't forget POST requests, which may give any ratio <> 1 depending on
the use..
Someone POST:ing a large file to a simple page (or smaller than the
POST:ed data): < 1
Someone POST:ing small amount to a large page: > 1
And with all the Web2.0 stuff being done these days you'll never really
know..
A packet size distribution might work more reliably. ssh, imap, pop etc
has a lot of very small command packets, while HTTP with it's larger
syntax nearly always has quite big packets..
Another question: Would you be interested in contributing your code
changes? Others might be interested in this for statistics purposes.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT