[Bro] Interesting observation with ssh on non-ssh port
Siwek, Jonathan Luke
jsiwek at illinois.edu
Wed Apr 2 14:15:20 PDT 2014
On Apr 2, 2014, at 1:14 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> I see my connected sessions fine in ssh.log,
> but there's no trace of it in conn.log. This obviously explains why I
> couldn't get the large outbound transfer scripts working, but now I'm
> curious...is there a reason why this TCP session doesn't show up in
> conn.log?
No immediate idea on why the TCP session isn’t showing in conn.log, but one thing to be aware of is SSH::skip_processing_after_detection. If you’ve redef’d that to true, then any large-transfer detection is bound to fail for SSH sessions. Generally, any connection on which the skip_further_processing() built-in function is called won’t have accurate size/packet counts.
- Jon
More information about the Bro
mailing list