Vern Paxson created BIT-1427:
--------------------------------
Summary: rare SSH successful login heuristic FPs
Key: BIT-1427
URL: https://bro-tracker.atlassian.net/browse/BIT-1427
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: 2.3
Reporter: Vern Paxson
During a bruteforce attack that made 27M attempted logins, 2 were flagged as
successful by one instance of Bro monitoring the traffic, but not by another
running an identical config on the same traffic stream. I wasn't able to
reproduce the FPs from bulk traces of the event. Both instances were
associated with two Weirds, "SYN_after_close" and
"excessive_data_without_further_acks" that were otherwise quite rare in the
traffic. This suggests that there's a flaw in the heuristic whereby it's
analyzing traffic streams that have confused state. Perhaps an adequate fix is
to track whether a given flow has experienced those Weirds, and if so, don't
apply the heuristic to it.
--
This message was sent by Atlassian JIRA
(v6.5-OD-05-041#65001)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
