One-way TCP session to handle HTTP requests only


I’m looking for a monitoring solution that will give me an instrument to log all HTTP requests (including HTTPS). I see that Bro does this really well by default. But as soon as I will have huge amount of web traffic (like 10Gb/s+) I would like to process HTTP requests only by mirroring only one-way of TCP sessions. That will save a lot of processing power since HTTP request << HTTP response.

I found only one reference to my idea that say that handling one-way TCP at best will slow down Bro ( So the questions are:

  1. Can anyone confirm that using Bro to handle one-way TCP session is a bad idea?

  2. Does anyone have any experience of tuning Bro to handle one-way TCP sessions? We might turn off unnecessary processing (e. g. policies that need 2-way session) to solve the task…