[Bro-Dev] [JIRA] (BIT-1545) SSH connection not recording entire flow correctly
Vern Paxson (JIRA)
jira at bro-tracker.atlassian.net
Thu Mar 10 08:27:00 PST 2016
[ https://bro-tracker.atlassian.net/browse/BIT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24800#comment-24800 ]
Vern Paxson commented on BIT-1545:
----------------------------------
I'm definitely a fan of at least adding transparency that the value has not been properly tracked! It would also be good to understand in what shunting situations one can still afford to track such values; and I would hope that even if there's full (blind) shunting, the FIN/RSTs that terminate the connection are still captured, so one can make a guess based on sequence numbers. (Likewise, we'd want this annotated as a guess and not a directly measured value.)
> SSH connection not recording entire flow correctly
> --------------------------------------------------
>
> Key: BIT-1545
> URL: https://bro-tracker.atlassian.net/browse/BIT-1545
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.4
> Environment: Ubuntu 14.04 LTS, myricom 10g capture card
> Reporter: Jason Carr
> Assignee: Johanna Amann
> Labels: logging
> Fix For: 2.5
>
> Attachments: ssh-port22.pcap
>
>
> Making a connection out to a server via ssh does not write to conn.log while running with broctl but it does log to weird.log and ssh.log but nothing to conn.log.
> While running bro -C -r ssh-port22.pcap, a partial log entry is listed with an incorrect and very low number of packets and bytes.
> It was determined that disabling the SSH analyzer gets the correct conn.log output.
> Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);
> Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it works as expected.
> Attached is the SSH connection outbound pcap.
--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-014#72000)
More information about the bro-dev
mailing list