Bro and asymmetric routing

Hello All

I have a question about asymmetric routing and Bro IDS

Consider a situation where a traffic to and from an organization takes
different routes and the IDS is deployed where only one directional of
the conversation can be monitored (either client to server OR server
to client).
In such a situation does the TCP analysis of Bro work ? or does it
need to see both sides of the conversation ?

Thanks for the reply.
Thomas

In such a situation does the TCP analysis of Bro work ? or does it
need to see both sides of the conversation ?

Bro has code to detect this case and still perform some analysis. However,
we haven't operated it in such an environment for a number of years, so I
don't know if that code still functions correctly. Even if it does, you'll
still at best get degraded performance, since many of the policy scripts
expect to match requests with responses.

    Vern