[Bro-Dev] #947: Incorrect size calculation for SSH failed/successful heuristic
Bro Tracker
bro at tracker.bro-ids.org
Tue Feb 19 14:39:21 PST 2013
#947: Incorrect size calculation for SSH failed/successful heuristic
------------------------+---------------------
Reporter: grigorescu | Type: Problem
Status: new | Priority: Low
Milestone: Bro2.2 | Component: Bro
Version: git/master | Keywords:
------------------------+---------------------
We're getting a lot of false positives for successful SSH logins from a
source that we recently blackholed. I suspect what's happening is that the
retransmissions keep bumping up the size of the connection, until it
crosses the threshold for a "successful" connection.
With the changes from #730: Find and fix tcp sequence counting bugs, is it
possible to improve the accuracy of the reported size?
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/947>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list