[Bro] Interesting observation with ssh on non-ssh port

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed Apr 2 14:15:20 PDT 2014

On Apr 2, 2014, at 1:14 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> I see my connected sessions fine in ssh.log, 
> but there's no trace of it in conn.log.  This obviously explains why I 
> couldn't get the large outbound transfer scripts working, but now I'm 
> curious...is there a reason why this TCP session doesn't show up in 
> conn.log? 

No immediate idea on why the TCP session isn’t showing in conn.log, but one thing to be aware of is SSH::skip_processing_after_detection.  If you’ve redef’d that to true, then any large-transfer detection is bound to fail for SSH sessions.  Generally, any connection on which the skip_further_processing() built-in function is called won’t have accurate size/packet counts.

- Jon

More information about the Bro mailing list