[
https://bro-tracker.atlassian.net/browse/BIT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24800#comment-24800
]
Vern Paxson commented on BIT-1545:
----------------------------------
I'm definitely a fan of at least adding transparency that the value has not
been properly tracked! It would also be good to understand in what shunting
situations one can still afford to track such values; and I would hope that
even if there's full (blind) shunting, the FIN/RSTs that terminate the
connection are still captured, so one can make a guess based on sequence
numbers. (Likewise, we'd want this annotated as a guess and not a directly
measured value.)
> SSH connection not recording entire flow correctly
> --------------------------------------------------
>
> Key: BIT-1545
> URL: https://bro-tracker.atlassian.net/browse/BIT-1545
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.4
> Environment: Ubuntu 14.04 LTS, myricom 10g capture card
> Reporter: Jason Carr
> Assignee: Johanna Amann
> Labels: logging
> Fix For: 2.5
>
> Attachments: ssh-port22.pcap
>
>
> Making a connection out to a server via ssh does not write to conn.log while
> running with broctl but it does log to weird.log and ssh.log but nothing to
> conn.log.
> While running bro -C -r ssh-port22.pcap, a partial log entry is listed with
> an incorrect and very low number of packets and bytes.
> It was determined that disabling the SSH analyzer gets the correct conn.log
> output.
> Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);
> Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it
> works as expected.
> Attached is the SSH connection outbound pcap.
--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-014#72000)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
