[
https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20109#comment-20109
]
Vlad Grigorescu commented on BIT-1344:
--------------------------------------
{quote}
is there a reason why you do not register the analyzer to port 22 by default?
If I am not mistaken, the old one and basically all other protocol analyzers
register to their well-known ports by default and just fail if they cannot
parse the protocol.
{quote}
This is something I've actually been moving away from. If I have a high level
of confidence in the DPD signature, I'd rather rely on that, since I believe it
will be more efficient than to try to attach the analyzer to all traffic on
that port, and wait for a violation. This was based off some informal
discussions with Seth, but I'm happy to throw it out to bro-dev and see what
others think.
{quote}
currently some of the texts in different files still state that login
success/failure is determined by heuristics. Should we leave that text in or is
it safe if I remove if while merging?
{quote}
Ah, good catch. We should remove it - in the base script, I adopted an attitude
of "if we don't know for certain, let's just tell the user that it's unknown"
instead of implementing any heuristics. I can go through and remove it as well,
if you'd like me to.
> New SSH Analyzer
> ----------------
>
> Key: BIT-1344
> URL: https://bro-tracker.atlassian.net/browse/BIT-1344
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: Bro
> Affects Versions: 2.4
> Reporter: Vlad Grigorescu
> Assignee: Johanna Amann
>
> The SSH analyzer was rewritten from scratch in topic/vladg/ssh.
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-005#64014)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
