[Bro] One-way TCP session to handle HTTP requests only
Rovnov Pavel
provnov at solidex.by
Wed Mar 25 10:11:34 PDT 2015
Hello again!
I'm trying to run installation with client-to-server only traffic
visible to Bro. This seems not to break Bro however the following
messages fill weird.log:
1427302895.156616 C50xd821xHdTYgVRWj 172.x.x.x
33468 87.252.227.138 41223 data_before_established
- F bro
1427302895.228297 CqeQYQ1Q4MgbwupuR8 172.x.x.x
45107 62.84.63.46 13871 possible_split_routing
- F bro
1427302895.228985 CqeQYQ1Q4MgbwupuR8 172.x.x.x
45107 62.84.63.46 13871
data_before_established - F bro
1427302895.782191 CiSuNR2tWAfGBpuSxe 172.x.x.x
55007 80.249.82.211 11898 possible_split_routing
- F bro
1427302895.783376 CiSuNR2tWAfGBpuSxe 172.x.x.x
55007 80.249.82.211 11898 data_before_established
Does anyone know how to switch Bro into asymmetric mode? At least can I
disable notices that need 2-way session?
Thanks!
Pavel
From: Rovnov Pavel
Sent: Wednesday, March 25, 2015 3:11 PM
To: 'bro at bro.org'
Subject: One-way TCP session to handle HTTP requests only
Hello!
I'm looking for a monitoring solution that will give me an instrument to
log all HTTP requests (including HTTPS). I see that Bro does this really
well by default. But as soon as I will have huge amount of web traffic
(like 10Gb/s+) I would like to process HTTP requests only by mirroring
only one-way of TCP sessions. That will save a lot of processing power
since HTTP request << HTTP response.
I found only one reference to my idea that say that handling one-way TCP
at best will slow down Bro
(http://mailman.icsi.berkeley.edu/pipermail/bro/2006-October/001853.html
). So the questions are:
1) Can anyone confirm that using Bro to handle one-way TCP session
is a bad idea?
2) Does anyone have any experience of tuning Bro to handle one-way
TCP sessions? We might turn off unnecessary processing (e. g. policies
that need 2-way session) to solve the task...
Thanks!
Pavel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150325/fce0c40e/attachment-0001.html
More information about the Bro
mailing list