[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer

Robin Sommer robin at icir.org
Wed Mar 25 08:29:39 PDT 2015

On Tue, Mar 24, 2015 at 16:52 -0500, you wrote:

> This is something I've actually been moving away from. If I have a
> high level of confidence in the DPD signature, I'd rather rely on
> that, since I believe it will be more efficient than to try to attach
> the analyzer to all traffic on that port, and wait for a violation.
> This was based off some informal discussions with Seth, but I'm happy
> to throw it out to bro-dev and see what others think.

I would prefer staying with the well-known ports. I see the argument
for signature-only, but it would be inconsistent with how the other
analyzers works, making it hard to explain to people what's going on.
And I don't expect much of a problem in terms of efficienicy for SSH.

More information about the bro-dev mailing list