Bro working with a Cisco Ironport WSA

I was trying out BRO and was using a span port from the inside interface of our firewall. I was wondering about if there is any feature in BRO that you can use to understand all the redirection that happens because of our new Cisco WSA. BRO is going bonkers with all the half-open sessions, etc that the WCCP redirects from the firewall to the WSA cause. I am thinking that I will have to better engineer where I am looking at traffic, but I thought I would ask first. Thanks for any insight you can provide.

Chris Bennett, CISSP, GSNA

Dir. of Information Security and Infrastructure Support

Lansing Community College


I don't know anything about what's going on with the Cisco box you have, but it seems likely that you're right and you're going to want to changing how you're monitoring traffic.