[Bro-Dev] [JIRA] (BIT-1427) rare SSH successful login heuristic FPs

Vern Paxson (JIRA) jira at bro-tracker.atlassian.net
Sun Jun 21 09:20:00 PDT 2015

     [ https://bro-tracker.atlassian.net/browse/BIT-1427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vern Paxson updated BIT-1427:
       Resolution: Fixed
    Fix Version/s: 2.4
           Status: Closed  (was: Open)

Already presumed fixed in 2.4.

> rare SSH successful login heuristic FPs
> ---------------------------------------
>                 Key: BIT-1427
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1427
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>            Reporter: Vern Paxson
>             Fix For: 2.4
> During a bruteforce attack that made 27M attempted logins, 2 were flagged as successful by one instance of Bro monitoring the traffic, but not by another running an identical config on the same traffic stream.  I wasn't able to reproduce the FPs from bulk traces of the event.  Both instances were associated with two Weirds, "SYN_after_close" and "excessive_data_without_further_acks" that were otherwise quite rare in the traffic.  This suggests that there's a flaw in the heuristic whereby it's analyzing traffic streams that have confused state.  Perhaps an adequate fix is to track whether a given flow has experienced those Weirds, and if so, don't apply the heuristic to it.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list