[Bro-Dev] [JIRA] (BIT-1236) topic/jsiwek/flip-on-syn-ack

Siwek, Jon jsiwek at illinois.edu
Tue Aug 26 15:49:40 PDT 2014


> On Aug 26, 2014, at 5:02 PM, Vlad Grigorescu <vlad at grigorescu.org> wrote:
> 
> The specific issue is that the jump in seq numbers between the first and second connection cause Bro to think that a lot of traffic was simply missed. This leads to false positives with the SSH heuristic, since now the byte total is over the threshold.

As a workaround you may be able to filter out such cases by checking whether connection records report missing data and a history string with more than one handshake?

> Digging into this, I realize it wasn't as closely related to this ticket as I thought, so let me know if I should file a new ticket for this.

Yeah, make a ticket.

- Jon


More information about the bro-dev mailing list