[Bro] One-way TCP session to handle HTTP requests only

Rovnov Pavel provnov at solidex.by
Wed Mar 25 10:11:34 PDT 2015 

Hello again!

 

I'm trying to run installation with client-to-server only traffic
visible to Bro. This seems not to break Bro however the following
messages fill weird.log:

 

1427302895.156616         C50xd821xHdTYgVRWj  172.x.x.x
33468    87.252.227.138  41223    data_before_established
-              F              bro

1427302895.228297         CqeQYQ1Q4MgbwupuR8             172.x.x.x
45107    62.84.63.46         13871                possible_split_routing
-              F              bro

1427302895.228985         CqeQYQ1Q4MgbwupuR8             172.x.x.x
45107    62.84.63.46         13871
data_before_established            -              F              bro

1427302895.782191         CiSuNR2tWAfGBpuSxe  172.x.x.x
55007    80.249.82.211     11898                possible_split_routing
-              F              bro

1427302895.783376         CiSuNR2tWAfGBpuSxe  172.x.x.x
55007    80.249.82.211     11898                data_before_established

 

 

Does anyone know how to switch Bro into asymmetric mode? At least can I
disable notices that need 2-way session?

 

Thanks!

 

Pavel

 

From: Rovnov Pavel 
Sent: Wednesday, March 25, 2015 3:11 PM
To: 'bro at bro.org'
Subject: One-way TCP session to handle HTTP requests only

 

Hello!

 

I'm looking for a monitoring solution that will give me an instrument to
log all HTTP requests (including HTTPS). I see that Bro does this really
well by default. But as soon as I will have huge amount of web traffic
(like 10Gb/s+) I would like to process HTTP requests only by mirroring
only one-way of TCP sessions. That will save a lot of processing power
since HTTP request << HTTP response.

 

I found only one reference to my idea that say that handling one-way TCP
at best will slow down Bro
(http://mailman.icsi.berkeley.edu/pipermail/bro/2006-October/001853.html
). So the questions are:

 

1)      Can anyone confirm that using Bro to handle one-way TCP session
is a bad idea?

 

2)      Does anyone have any experience of tuning Bro to handle one-way
TCP sessions? We might turn off unnecessary processing (e. g. policies
that need 2-way session) to solve the task...

 

Thanks!

 

Pavel

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150325/fce0c40e/attachment-0001.html

More information about the Bro mailing list