[Bro] Bro and asymmetric routing
vern at icir.org
Tue Oct 31 00:27:13 PST 2006
> In such a situation does the TCP analysis of Bro work ? or does it
> need to see both sides of the conversation ?
Bro has code to detect this case and still perform some analysis. However,
we haven't operated it in such an environment for a number of years, so I
don't know if that code still functions correctly. Even if it does, you'll
still at best get degraded performance, since many of the policy scripts
expect to match requests with responses.
More information about the Bro