[Bro-Dev] [JIRA] (BIT-1545) SSH connection not recording entire flow correctly
Jason Carr (JIRA)
jira at bro-tracker.atlassian.net
Fri Mar 4 10:47:00 PST 2016
Jason Carr created BIT-1545:
-------------------------------
Summary: SSH connection not recording entire flow correctly
Key: BIT-1545
URL: https://bro-tracker.atlassian.net/browse/BIT-1545
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: git/master, 2.4
Environment: Ubuntu 14.04 LTS, myricom 10g capture card
Reporter: Jason Carr
Attachments: ssh-port22.pcap
Making a connection out to a server via ssh does not write to conn.log while running with broctl but it does log to weird.log and ssh.log but nothing to conn.log.
While running bro -C -r ssh-port22.pcap, a partial log entry is listed with an incorrect and very low number of packets and bytes.
It was determined that disabling the SSH analyzer gets the correct conn.log output.
Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);
Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it works as expected.
Attached is the SSH connection outbound pcap.
--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)
More information about the bro-dev
mailing list