[
https://bro-tracker.atlassian.net/browse/BIT-1427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vern Paxson updated BIT-1427:
-----------------------------
Resolution: Fixed
Fix Version/s: 2.4
Status: Closed (was: Open)
Already presumed fixed in 2.4.
> rare SSH successful login heuristic FPs
> ---------------------------------------
>
> Key: BIT-1427
> URL: https://bro-tracker.atlassian.net/browse/BIT-1427
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.3
> Reporter: Vern Paxson
> Fix For: 2.4
>
>
> During a bruteforce attack that made 27M attempted logins, 2 were flagged as
> successful by one instance of Bro monitoring the traffic, but not by another
> running an identical config on the same traffic stream. I wasn't able to
> reproduce the FPs from bulk traces of the event. Both instances were
> associated with two Weirds, "SYN_after_close" and
> "excessive_data_without_further_acks" that were otherwise quite rare in the
> traffic. This suggests that there's a flaw in the heuristic whereby it's
> analyzing traffic streams that have confused state. Perhaps an adequate fix
> is to track whether a given flow has experienced those Weirds, and if so,
> don't apply the heuristic to it.
--
This message was sent by Atlassian JIRA
(v6.5-OD-05-041#65001)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
