I was trying out BRO and was using a span port from the inside interface of our firewall. I was wondering about if there is any feature in BRO that you can use to understand all the redirection that happens because of our new Cisco WSA. BRO is going bonkers with all the half-open sessions, etc that the WCCP redirects from the firewall to the WSA cause. I am thinking that I will have to better engineer where I am looking at traffic, but I thought I would ask first. Thanks for any insight you can provide.
Chris Bennett, CISSP, GSNA
Dir. of Information Security and Infrastructure Support
Lansing Community College