I’m trying to run installation with client-to-server only traffic visible to Bro. This seems not to break Bro however the following messages fill weird.log:
1427302895.156616 C50xd821xHdTYgVRWj 172.x.x.x 33468 126.96.36.199 41223 data_before_established - F bro
1427302895.228297 CqeQYQ1Q4MgbwupuR8 172.x.x.x 45107 188.8.131.52 13871 possible_split_routing - F bro
1427302895.228985 CqeQYQ1Q4MgbwupuR8 172.x.x.x 45107 184.108.40.206 13871 data_before_established - F bro
1427302895.782191 CiSuNR2tWAfGBpuSxe 172.x.x.x 55007 220.127.116.11 11898 possible_split_routing - F bro
1427302895.783376 CiSuNR2tWAfGBpuSxe 172.x.x.x 55007 18.104.22.168 11898 data_before_established
Does anyone know how to switch Bro into asymmetric mode? At least can I disable notices that need 2-way session?
Unfortunately at this time, we don’t put much attention to asymmetric traffic analysis. This is something I’ve been wanting to do for a long time, but it hasn’t bubbled up high enough on the priority list yet.
Any results you get from asymmetric traffic processing are coincidental, we don’t have any tests or anything that validate that Bro works in any particular scenario with asymmetric traffic.
To bubble up asymmetric traffic analysis higher in the list let me describe our scenario. We would like to analyze ~55Gb/s+ (5Gb/s upstream, 50Gb/s downstream) of web traffic (both HTTP and HTTPS). At layer 7 we need to know hostnames and perhaps URLs visited. In case we analyze upstream only we can reduce hardware requirements greatly.
What causes Bro to be asymmetric intolerant: rule, BinPac,...? What is we disable all rules and leave only rules that solve the task? Will the result be still coincidental?
Thanks for answers!