[Bro] Interesting observation with ssh on non-ssh port
James Lay
jlay at slave-tothe-box.net
Wed Apr 2 14:20:19 PDT 2014
On 2014-04-02 15:15, Siwek, Jonathan Luke wrote:
> On Apr 2, 2014, at 1:14 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> I see my connected sessions fine in ssh.log,
>> but there's no trace of it in conn.log. This obviously explains why
>> I
>> couldn't get the large outbound transfer scripts working, but now
>> I'm
>> curious...is there a reason why this TCP session doesn't show up in
>> conn.log?
>
> No immediate idea on why the TCP session isn’t showing in conn.log,
> but one thing to be aware of is SSH::skip_processing_after_detection.
> If you’ve redef’d that to true, then any large-transfer detection is
> bound to fail for SSH sessions. Generally, any connection on which
> the skip_further_processing() built-in function is called won’t have
> accurate size/packet counts.
>
> - Jon
Thanks Jon I'll keep that in mind. Short answer was I'm an idiot :)
James
More information about the Bro
mailing list