[Bro-Dev] [JIRA] (BIT-1545) SSH connection not recording entire flow correctly

Johanna Amann (JIRA) jira at bro-tracker.atlassian.net
Mon Mar 7 11:09:01 PST 2016


    [ https://bro-tracker.atlassian.net/browse/BIT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24703#comment-24703 ] 

Johanna Amann commented on BIT-1545:
------------------------------------

This actually is an interesting bug with a few larger implications. I was not aware that setting the skip flag on a connection will completely disable processing in the sense that even byte counts are not updated anymore.

While this might be obvious when thinking about it (no reassembly is performed anymore), that means that we might also have to change a few other analyzers to do things differently. Or - what might be preferable - change the way that skipping works, and still let it increase the byte counters.

For reference, SetSkip is currently called in these circumstances:
- When an analyzer reports an error (in Reporter::AnalyzerError)
- by the SSL analyzer when encountering a number of conditions that do not allow it to confinue further parsing
- by the SMB analyzer (the old one, so that might not be a problem)
- by the login analyzer
- by the DNP3 analyzer when encountering problems
- by the DCE_RPC analyzer when encountering problems
- and by the gridftp script

We probably currently get wrong byte counts in all these instances.

> SSH connection not recording entire flow correctly
> --------------------------------------------------
>
>                 Key: BIT-1545
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1545
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.4
>         Environment: Ubuntu 14.04 LTS, myricom 10g capture card
>            Reporter: Jason Carr
>              Labels: logging
>             Fix For: 2.5
>
>         Attachments: ssh-port22.pcap
>
>
> Making a connection out to a server via ssh does not write to conn.log while running with broctl but it does log to weird.log and ssh.log but nothing to conn.log.
> While running bro -C -r ssh-port22.pcap, a partial log entry is listed with an incorrect and very low number of packets and bytes.
> It was determined that disabling the SSH analyzer gets the correct conn.log output. 
> Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);	
> Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it works as expected.
> Attached is the SSH connection outbound pcap.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-012#72000)


More information about the bro-dev mailing list