I’m looking for a monitoring solution that will give me an instrument to log all HTTP requests (including HTTPS). I see that Bro does this really well by default. But as soon as I will have huge amount of web traffic (like 10Gb/s+) I would like to process HTTP requests only by mirroring only one-way of TCP sessions. That will save a lot of processing power since HTTP request << HTTP response.
I found only one reference to my idea that say that handling one-way TCP at best will slow down Bro (http://mailman.icsi.berkeley.edu/pipermail/bro/2006-October/001853.html). So the questions are:
Can anyone confirm that using Bro to handle one-way TCP session is a bad idea?
Does anyone have any experience of tuning Bro to handle one-way TCP sessions? We might turn off unnecessary processing (e. g. policies that need 2-way session) to solve the task…