[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
Vlad Grigorescu (JIRA)
jira at bro-tracker.atlassian.net
Tue Mar 24 14:52:00 PDT 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20109#comment-20109 ]
Vlad Grigorescu commented on BIT-1344:
is there a reason why you do not register the analyzer to port 22 by default? If I am not mistaken, the old one and basically all other protocol analyzers register to their well-known ports by default and just fail if they cannot parse the protocol.
This is something I've actually been moving away from. If I have a high level of confidence in the DPD signature, I'd rather rely on that, since I believe it will be more efficient than to try to attach the analyzer to all traffic on that port, and wait for a violation. This was based off some informal discussions with Seth, but I'm happy to throw it out to bro-dev and see what others think.
currently some of the texts in different files still state that login success/failure is determined by heuristics. Should we leave that text in or is it safe if I remove if while merging?
Ah, good catch. We should remove it - in the base script, I adopted an attitude of "if we don't know for certain, let's just tell the user that it's unknown" instead of implementing any heuristics. I can go through and remove it as well, if you'd like me to.
> New SSH Analyzer
> Key: BIT-1344
> URL: https://bro-tracker.atlassian.net/browse/BIT-1344
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: Bro
> Affects Versions: 2.4
> Reporter: Vlad Grigorescu
> Assignee: Johanna Amann
> The SSH analyzer was rewritten from scratch in topic/vladg/ssh.
This message was sent by Atlassian JIRA
More information about the bro-dev