[Bro] One-way TCP session to handle HTTP requests only
Rovnov Pavel
provnov at solidex.by
Wed Mar 25 23:58:32 PDT 2015
Hello Seth,
To bubble up asymmetric traffic analysis higher in the list let me describe our scenario. We would like to analyze ~55Gb/s+ (5Gb/s upstream, 50Gb/s downstream) of web traffic (both HTTP and HTTPS). At layer 7 we need to know hostnames and perhaps URLs visited. In case we analyze upstream only we can reduce hardware requirements greatly.
What causes Bro to be asymmetric intolerant: rule, BinPac,...? What is we disable all rules and leave only rules that solve the task? Will the result be still coincidental?
Thanks for answers!
Pavel
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org]
Sent: Wednesday, March 25, 2015 9:27 PM
To: Rovnov Pavel
Cc: bro at bro.org
Subject: Re: [Bro] One-way TCP session to handle HTTP requests only
> On Mar 25, 2015, at 1:11 PM, Rovnov Pavel <provnov at solidex.by> wrote:
>
> Does anyone know how to switch Bro into asymmetric mode? At least can I disable notices that need 2-way session?
Unfortunately at this time, we don’t put much attention to asymmetric traffic analysis. This is something I’ve been wanting to do for a long time, but it hasn’t bubbled up high enough on the priority list yet.
Any results you get from asymmetric traffic processing are coincidental, we don’t have any tests or anything that validate that Bro works in any particular scenario with asymmetric traffic.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list