[Bro-Dev] [JIRA] (BIT-1545) SSH connection not recording entire flow correctly

Thu, 10 Mar 2016 09:41:12 -0800 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24802#comment-24802
 ] 

Johanna Amann commented on BIT-1545:
------------------------------------

Yes, that was pretty much the outcome of our discussion.

The SSH case is fixed now (the merged patch only removes the SSH analyzer - all 
counting stays intact), and I was mistaken about the other protocols, they do 
not do it.

For external shunting (which is not part of Bro yet, but will be soon), we have 
a way to get some information from the switches (if they support that). I just 
have to get that into conn log.

We also discussed that adding a character to the connection history for 
"connection was shunted" would be a good idea, to indicate that the numbers are 
only a guess.

> SSH connection not recording entire flow correctly
> --------------------------------------------------
>
>                 Key: BIT-1545
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1545
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.4
>         Environment: Ubuntu 14.04 LTS, myricom 10g capture card
>            Reporter: Jason Carr
>            Assignee: Johanna Amann
>              Labels: logging
>             Fix For: 2.5
>
>         Attachments: ssh-port22.pcap
>
>
> Making a connection out to a server via ssh does not write to conn.log while 
> running with broctl but it does log to weird.log and ssh.log but nothing to 
> conn.log.
> While running bro -C -r ssh-port22.pcap, a partial log entry is listed with 
> an incorrect and very low number of packets and bytes.
> It was determined that disabling the SSH analyzer gets the correct conn.log 
> output. 
> Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);   
> Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it 
> works as expected.
> Attached is the SSH connection outbound pcap.



--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-014#72000)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to