[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer

Vlad Grigorescu (JIRA) jira at bro-tracker.atlassian.net
Tue Mar 24 14:52:00 PDT 2015


    [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20109#comment-20109 ] 

Vlad Grigorescu commented on BIT-1344:
--------------------------------------

{quote}
is there a reason why you do not register the analyzer to port 22 by default? If I am not mistaken, the old one and basically all other protocol analyzers register to their well-known ports by default and just fail if they cannot parse the protocol.
{quote}

This is something I've actually been moving away from. If I have a high level of confidence in the DPD signature, I'd rather rely on that, since I believe it will be more efficient than to try to attach the analyzer to all traffic on that port, and wait for a violation. This was based off some informal discussions with Seth, but I'm happy to throw it out to bro-dev and see what others think.

{quote}
currently some of the texts in different files still state that login success/failure is determined by heuristics. Should we leave that text in or is it safe if I remove if while merging?
{quote}

Ah, good catch. We should remove it - in the base script, I adopted an attitude of "if we don't know for certain, let's just tell the user that it's unknown" instead of implementing any heuristics. I can go through and remove it as well, if you'd like me to.

> New SSH Analyzer
> ----------------
>
>                 Key: BIT-1344
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1344
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>    Affects Versions: 2.4
>            Reporter: Vlad Grigorescu
>            Assignee: Johanna Amann
>
> The SSH analyzer was rewritten from scratch in topic/vladg/ssh.



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)


More information about the bro-dev mailing list