[Bro-Dev] #947: Incorrect size calculation for SSH failed/successful heuristic

Bro Tracker bro at tracker.bro-ids.org
Thu Feb 21 11:10:06 PST 2013


#947: Incorrect size calculation for SSH failed/successful heuristic
-------------------------+------------------------
  Reporter:  grigorescu  |      Owner:
      Type:  Problem     |     Status:  new
  Priority:  Low         |  Milestone:  Bro2.2
 Component:  Bro         |    Version:  git/master
Resolution:              |   Keywords:
-------------------------+------------------------

Comment (by seth):

 > The heuristic for SSH login looks like it primarily uses the packet-wise
 > size calculations from conn_size_analyzer, but only falls back on the
 TCP
 > stream size based on sequence numbers if there looked like there was
 > something wonky with the packet-wise size (for which I see a TODO
 comment
 > about that being fragile in some cases like IPv6).

 Ah, the problem is the conn_size_analyzer counts retransmissions and
 includes the size of the ip and tcp headers.  I only want the payload
 size.  The current implementation is horribly brain-dead.

 > So making the choice of heuristic more flexible/user-controllable might
 > help.  E.g. maybe refactoring it to use ConnPolling stuff would work,
 and
 > you could provide some standard/default callbacks that demonstrate
 > checking by packet-wise size versus TCP stream-wise size. (And make the
 > default be a stream-wise size check if #730 was the only reason why it
 > wasn't in the first place).

 You got it right on all accounts.

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/947#comment:3>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list