[Bro-Dev] [JIRA] (BIT-1545) SSH connection not recording entire flow correctly

Johanna Amann (JIRA) jira at bro-tracker.atlassian.net
Mon Mar 7 12:33:02 PST 2016 

    [ https://bro-tracker.atlassian.net/browse/BIT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24705#comment-24705 ] 

Johanna Amann commented on BIT-1545:
------------------------------------

I talked to Robin - and was mistaken, most of these cases are actually not a problem because the analyzers only disable themselves, not the root-analyzer.

We still should fix the current behavior someday - for example by adding a field to the connection history that the size counting was disabled for the rest of this connection. This will potentially become even more interesting with the addition of the netcontrol framework, which also should somehow signal that connections have been shunted (currently, it is not really doing that).

> SSH connection not recording entire flow correctly
> --------------------------------------------------
>
>                 Key: BIT-1545
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1545
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.4
>         Environment: Ubuntu 14.04 LTS, myricom 10g capture card
>            Reporter: Jason Carr
>              Labels: logging
>             Fix For: 2.5
>
>         Attachments: ssh-port22.pcap
>
>
> Making a connection out to a server via ssh does not write to conn.log while running with broctl but it does log to weird.log and ssh.log but nothing to conn.log.
> While running bro -C -r ssh-port22.pcap, a partial log entry is listed with an incorrect and very low number of packets and bytes.
> It was determined that disabling the SSH analyzer gets the correct conn.log output. 
> Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);	
> Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it works as expected.
> Attached is the SSH connection outbound pcap.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-012#72000)

More information about the bro-dev mailing list