[Bro] Bro and asymmetric routing

Vern Paxson vern at icir.org
Tue Oct 31 00:27:13 PST 2006

> In such a situation does the TCP analysis of Bro work ? or does it
> need to see both sides of the conversation ?

Bro has code to detect this case and still perform some analysis.  However,
we haven't operated it in such an environment for a number of years, so I
don't know if that code still functions correctly.  Even if it does, you'll
still at best get degraded performance, since many of the policy scripts
expect to match requests with responses.


