[Bro-Dev] [JIRA] (BIT-1545) SSH connection not recording entire flow correctly

Mon, 07 Mar 2016 11:10:25 -0800 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24703#comment-24703
 ] 

Johanna Amann commented on BIT-1545:
------------------------------------

This actually is an interesting bug with a few larger implications. I was not 
aware that setting the skip flag on a connection will completely disable 
processing in the sense that even byte counts are not updated anymore.

While this might be obvious when thinking about it (no reassembly is performed 
anymore), that means that we might also have to change a few other analyzers to 
do things differently. Or - what might be preferable - change the way that 
skipping works, and still let it increase the byte counters.

For reference, SetSkip is currently called in these circumstances:
- When an analyzer reports an error (in Reporter::AnalyzerError)
- by the SSL analyzer when encountering a number of conditions that do not 
allow it to confinue further parsing
- by the SMB analyzer (the old one, so that might not be a problem)
- by the login analyzer
- by the DNP3 analyzer when encountering problems
- by the DCE_RPC analyzer when encountering problems
- and by the gridftp script

We probably currently get wrong byte counts in all these instances.

> SSH connection not recording entire flow correctly
> --------------------------------------------------
>
>                 Key: BIT-1545
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1545
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.4
>         Environment: Ubuntu 14.04 LTS, myricom 10g capture card
>            Reporter: Jason Carr
>              Labels: logging
>             Fix For: 2.5
>
>         Attachments: ssh-port22.pcap
>
>
> Making a connection out to a server via ssh does not write to conn.log while 
> running with broctl but it does log to weird.log and ssh.log but nothing to 
> conn.log.
> While running bro -C -r ssh-port22.pcap, a partial log entry is listed with 
> an incorrect and very low number of packets and bytes.
> It was determined that disabling the SSH analyzer gets the correct conn.log 
> output. 
> Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);   
> Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it 
> works as expected.
> Attached is the SSH connection outbound pcap.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-012#72000)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to