[Bro] [bro] ssh connetions.

Azoff, Justin S jazoff at illinois.edu
Thu Mar 17 11:03:22 PDT 2016

> On Mar 17, 2016, at 1:55 PM, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com> wrote:
> Similarly I’ve seen SSH sessions not identified when SSH is multiplexed with other protocols on the same port; e.g. SSH and HTTP on port 80.  Wish I had more time to help with detecting cases like this.
> https://github.com/stealth/sshttp 

I've been working on that as part of https://bro-tracker.atlassian.net/browse/BIT-1521

There's a bug in the current known services policy that causes multiple protocols on the same port to not be logged to known_services.log, but they should still show up in conn.log as the proper service.

There is a slightly different but related issue in that if you send an http request to an ssh server or an ssh client banner to an http server, bro won't attach both analyzers to the connection.  So, you'll get either an http log or an ssh log, but not both.

- Justin Azoff

More information about the Bro mailing list