[Bro-Dev] [JIRA] (BIT-1236) topic/jsiwek/flip-on-syn-ack
jsiwek at illinois.edu
Tue Aug 26 15:49:40 PDT 2014
> On Aug 26, 2014, at 5:02 PM, Vlad Grigorescu <vlad at grigorescu.org> wrote:
> The specific issue is that the jump in seq numbers between the first and second connection cause Bro to think that a lot of traffic was simply missed. This leads to false positives with the SSH heuristic, since now the byte total is over the threshold.
As a workaround you may be able to filter out such cases by checking whether connection records report missing data and a history string with more than one handshake?
> Digging into this, I realize it wasn't as closely related to this ticket as I thought, so let me know if I should file a new ticket for this.
Yeah, make a ticket.
More information about the bro-dev