One-way TCP session to handle HTTP requests only

Hello again!

I’m trying to run installation with client-to-server only traffic visible to Bro. This seems not to break Bro however the following messages fill weird.log:

1427302895.156616 C50xd821xHdTYgVRWj 172.x.x.x 33468 41223 data_before_established - F bro

1427302895.228297 CqeQYQ1Q4MgbwupuR8 172.x.x.x 45107 13871 possible_split_routing - F bro

1427302895.228985 CqeQYQ1Q4MgbwupuR8 172.x.x.x 45107 13871 data_before_established - F bro

1427302895.782191 CiSuNR2tWAfGBpuSxe 172.x.x.x 55007 11898 possible_split_routing - F bro

1427302895.783376 CiSuNR2tWAfGBpuSxe 172.x.x.x 55007 11898 data_before_established

Does anyone know how to switch Bro into asymmetric mode? At least can I disable notices that need 2-way session?



Unfortunately at this time, we don’t put much attention to asymmetric traffic analysis. This is something I’ve been wanting to do for a long time, but it hasn’t bubbled up high enough on the priority list yet.

Any results you get from asymmetric traffic processing are coincidental, we don’t have any tests or anything that validate that Bro works in any particular scenario with asymmetric traffic.


Hello Seth,

To bubble up asymmetric traffic analysis higher in the list let me describe our scenario. We would like to analyze ~55Gb/s+ (5Gb/s upstream, 50Gb/s downstream) of web traffic (both HTTP and HTTPS). At layer 7 we need to know hostnames and perhaps URLs visited. In case we analyze upstream only we can reduce hardware requirements greatly.

What causes Bro to be asymmetric intolerant: rule, BinPac,...? What is we disable all rules and leave only rules that solve the task? Will the result be still coincidental?

Thanks for answers!