[Bro-Dev] #947: Incorrect size calculation for SSH failed/successful heuristic
Bro Tracker
bro at tracker.bro-ids.org
Thu Feb 21 11:10:06 PST 2013
#947: Incorrect size calculation for SSH failed/successful heuristic
-------------------------+------------------------
Reporter: grigorescu | Owner:
Type: Problem | Status: new
Priority: Low | Milestone: Bro2.2
Component: Bro | Version: git/master
Resolution: | Keywords:
-------------------------+------------------------
Comment (by seth):
> The heuristic for SSH login looks like it primarily uses the packet-wise
> size calculations from conn_size_analyzer, but only falls back on the
TCP
> stream size based on sequence numbers if there looked like there was
> something wonky with the packet-wise size (for which I see a TODO
comment
> about that being fragile in some cases like IPv6).
Ah, the problem is the conn_size_analyzer counts retransmissions and
includes the size of the ip and tcp headers. I only want the payload
size. The current implementation is horribly brain-dead.
> So making the choice of heuristic more flexible/user-controllable might
> help. E.g. maybe refactoring it to use ConnPolling stuff would work,
and
> you could provide some standard/default callbacks that demonstrate
> checking by packet-wise size versus TCP stream-wise size. (And make the
> default be a stream-wise size check if #730 was the only reason why it
> wasn't in the first place).
You got it right on all accounts.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/947#comment:3>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list