[ https://bro-tracker.atlassian.net/browse/BIT-1427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21006#comment-21006 ]
Vern Paxson commented on BIT-1427: ---------------------------------- Thanks, Vlad. I'll close this. Once we upgrade to 2.4, surely the Internet will provide another opportunity to test this :-P. > rare SSH successful login heuristic FPs > --------------------------------------- > > Key: BIT-1427 > URL: https://bro-tracker.atlassian.net/browse/BIT-1427 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Vern Paxson > > During a bruteforce attack that made 27M attempted logins, 2 were flagged as > successful by one instance of Bro monitoring the traffic, but not by another > running an identical config on the same traffic stream. I wasn't able to > reproduce the FPs from bulk traces of the event. Both instances were > associated with two Weirds, "SYN_after_close" and > "excessive_data_without_further_acks" that were otherwise quite rare in the > traffic. This suggests that there's a flaw in the heuristic whereby it's > analyzing traffic streams that have confused state. Perhaps an adequate fix > is to track whether a given flow has experienced those Weirds, and if so, > don't apply the heuristic to it. -- This message was sent by Atlassian JIRA (v6.5-OD-05-041#65001) _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev