[Bro-Dev] [JIRA] (BIT-1427) rare SSH successful login heuristic FPs
Vern Paxson (JIRA)
jira at bro-tracker.atlassian.net
Sun Jun 21 09:20:00 PDT 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1427?focusedWorklogId=10100&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-10100 ]
Vern Paxson logged work on BIT-1427:
------------------------------------
Author: Vern Paxson
Created on: 21/Jun/15 11:19 AM
Start Date: 21/Jun/15 11:19 AM
Worklog Time Spent: 5 minutes
Work Description: Already presumed fixed in 2.4.
Issue Time Tracking
-------------------
Worklog Id: (was: 10100)
Time Spent: 5 minutes
Remaining Estimate: 0 minutes
> rare SSH successful login heuristic FPs
> ---------------------------------------
>
> Key: BIT-1427
> URL: https://bro-tracker.atlassian.net/browse/BIT-1427
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.3
> Reporter: Vern Paxson
> Fix For: 2.4
>
> Time Spent: 5 minutes
> Remaining Estimate: 0 minutes
>
> During a bruteforce attack that made 27M attempted logins, 2 were flagged as successful by one instance of Bro monitoring the traffic, but not by another running an identical config on the same traffic stream. I wasn't able to reproduce the FPs from bulk traces of the event. Both instances were associated with two Weirds, "SYN_after_close" and "excessive_data_without_further_acks" that were otherwise quite rare in the traffic. This suggests that there's a flaw in the heuristic whereby it's analyzing traffic streams that have confused state. Perhaps an adequate fix is to track whether a given flow has experienced those Weirds, and if so, don't apply the heuristic to it.
--
This message was sent by Atlassian JIRA
(v6.5-OD-05-041#65001)
More information about the bro-dev
mailing list