[Bro-Dev] [JIRA] (BIT-1427) rare SSH successful login heuristic FPs

Vlad Grigorescu (JIRA) jira at bro-tracker.atlassian.net
Sun Jun 21 08:52:01 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-1427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21005#comment-21005 ] 

Vlad Grigorescu commented on BIT-1427:

The heuristic was removed in Bro 2.4 and replaced by analysis of the cleartext handshake phase of the protocol, and the subsequent packet sizes. Part of the reason for this change was because I had seen similar cases of the heuristic being thrown off by unexpected states (e.g. BIT-947).

I imagine what happened was that one instance of Bro dropped a couple of packets which caused it to reach a confused state, while the other Bro instance and the bulk packet recorder didn't drop those packets. We could try editing the traces to cause those weirds, and see if the 2.4 SSH analyzer deals with it properly, but at that point the trace might be too synthetic to be of real value.

> rare SSH successful login heuristic FPs
> ---------------------------------------
>                 Key: BIT-1427
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1427
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>            Reporter: Vern Paxson
> During a bruteforce attack that made 27M attempted logins, 2 were flagged as successful by one instance of Bro monitoring the traffic, but not by another running an identical config on the same traffic stream.  I wasn't able to reproduce the FPs from bulk traces of the event.  Both instances were associated with two Weirds, "SYN_after_close" and "excessive_data_without_further_acks" that were otherwise quite rare in the traffic.  This suggests that there's a flaw in the heuristic whereby it's analyzing traffic streams that have confused state.  Perhaps an adequate fix is to track whether a given flow has experienced those Weirds, and if so, don't apply the heuristic to it.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list