[Bro-Dev] [JIRA] (BIT-1545) SSH connection not recording entire flow correctly

Aaron Eppert (JIRA) jira at bro-tracker.atlassian.net
Fri Mar 4 18:39:00 PST 2016 

    [ https://bro-tracker.atlassian.net/browse/BIT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24610#comment-24610 ] 

Aaron Eppert edited comment on BIT-1545 at 3/4/16 8:38 PM:
-----------------------------------------------------------

{{SSH::skip_processing_after_detection}} defaults to T and is {{&redef}}'able. With that set {{skip_further_processing()}} is called in {{event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5}}, I assume this would be the culprit in the matter.

Try: {{redef  SSH::skip_processing_after_detection = F;}} and see if that fixes the issue.

(Per Justin... T and F on a Friday look the same :) )


was (Author: aeppert):
{{SSH::skip_processing_after_detection}} defaults to T and is {{&redef}}'able. With that set {{skip_further_processing()}} is called in {{event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5}}, I assume this would be the culprit in the matter.

Try: {{redef  SSH::skip_processing_after_detection = T;}} and see if that fixes the issue.

> SSH connection not recording entire flow correctly
> --------------------------------------------------
>
>                 Key: BIT-1545
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1545
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.4
>         Environment: Ubuntu 14.04 LTS, myricom 10g capture card
>            Reporter: Jason Carr
>              Labels: logging
>             Fix For: 2.5
>
>         Attachments: ssh-port22.pcap
>
>
> Making a connection out to a server via ssh does not write to conn.log while running with broctl but it does log to weird.log and ssh.log but nothing to conn.log.
> While running bro -C -r ssh-port22.pcap, a partial log entry is listed with an incorrect and very low number of packets and bytes.
> It was determined that disabling the SSH analyzer gets the correct conn.log output. 
> Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);	
> Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it works as expected.
> Attached is the SSH connection outbound pcap.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-010#72000)

More information about the bro-dev mailing list