Hello All
I have a question about asymmetric routing and Bro IDS
Consider a situation where a traffic to and from an organization takes
different routes and the IDS is deployed where only one directional of
the conversation can be monitored (either client to server OR server
to client).
In such a situation does the TCP analysis of Bro work ? or does it
need to see both sides of the conversation ?
Thanks for the reply.
Thomas
In such a situation does the TCP analysis of Bro work ? or does it
need to see both sides of the conversation ?
Bro has code to detect this case and still perform some analysis. However,
we haven't operated it in such an environment for a number of years, so I
don't know if that code still functions correctly. Even if it does, you'll
still at best get degraded performance, since many of the policy scripts
expect to match requests with responses.
Vern