[Bro] One-way TCP session to handle HTTP requests only

[Rovnov Pavel]

Hello!

 

I'm looking for a monitoring solution that will give me an instrument to
log all HTTP requests (including HTTPS). I see that Bro does this really
well by default. But as soon as I will have huge amount of web traffic
(like 10Gb/s+) I would like to process HTTP requests only by mirroring
only one-way of TCP sessions. That will save a lot of processing power
since HTTP request << HTTP response.

 

I found only one reference to my idea that say that handling one-way TCP
at best will slow down Bro
(http://mailman.icsi.berkeley.edu/pipermail/bro/2006-October/001853.html
). So the questions are:

 

1)      Can anyone confirm that using Bro to handle one-way TCP session
is a bad idea?

 

2)      Does anyone have any experience of tuning Bro to handle one-way
TCP sessions? We might turn off unnecessary processing (e. g. policies
that need 2-way session) to solve the task...

 

Thanks!

 

Pavel

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150325/69a6b5df/attachment.html