[Bro-Dev] #947: Incorrect size calculation for SSH failed/successful heuristic
Bro Tracker
bro at tracker.bro-ids.org
Thu Feb 21 10:52:32 PST 2013
#947: Incorrect size calculation for SSH failed/successful heuristic
-------------------------+------------------------
Reporter: grigorescu | Owner:
Type: Problem | Status: new
Priority: Low | Milestone: Bro2.2
Component: Bro | Version: git/master
Resolution: | Keywords:
-------------------------+------------------------
Comment (by jsiwek):
Replying to [comment:2 seth]:
> There is a trace attached to the fixed ticket that Vlad referenced. Bro
was picking the wrong TCP sequence ID to follow in some cases. For the
trace attached to the ticket, there is a middle box that sends a RST to
kill the connection.
But that doesn't demonstrate Vlad's current issue, so an example pcap
would still help.
The heuristic for SSH login looks like it primarily uses the packet-wise
size calculations from conn_size_analyzer, but only falls back on the TCP
stream size based on sequence numbers if there looked like there was
something wonky with the packet-wise size (for which I see a TODO comment
about that being fragile in some cases like IPv6).
So making the choice of heuristic more flexible/user-controllable might
help. E.g. maybe refactoring it to use ConnPolling stuff would work, and
you could provide some standard/default callbacks that demonstrate
checking by packet-wise size versus TCP stream-wise size. (And make the
default be a stream-wise size check if #730 was the only reason why it
wasn't in the first place).
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/947#comment:3>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list