[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20114#comment-20114 ] Vlad Grigorescu commented on BIT-1344: -- Fair enough. I'll get that added. New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1344: -- I would prefer staying with the well-known ports. I see the argument for signature-only, but it would be inconsistent with how the other analyzers works, making it hard to explain to people what's going on. And I don't expect much of a problem in terms of efficienicy for SSH. New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
On Tue, Mar 24, 2015 at 16:52 -0500, you wrote: This is something I've actually been moving away from. If I have a high level of confidence in the DPD signature, I'd rather rely on that, since I believe it will be more efficient than to try to attach the analyzer to all traffic on that port, and wait for a violation. This was based off some informal discussions with Seth, but I'm happy to throw it out to bro-dev and see what others think. I would prefer staying with the well-known ports. I see the argument for signature-only, but it would be inconsistent with how the other analyzers works, making it hard to explain to people what's going on. And I don't expect much of a problem in terms of efficienicy for SSH. ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20115#comment-20115 ] Vlad Grigorescu commented on BIT-1344: -- I committed a change to register the analyzer on 22/tcp. There's still one regression in the private test suite - an SSH connection no longer gets identified as such. This is because there are TCP gaps, and the new analyzer follows the style of other BinPAC analyzers that don't try to parse when there's a gap. Because we're now doing actual parsing on the packets, I'd rather keep the strict behavior in place - the chances of parsing succeeding if there's a gap in the cleartext portion of the protocol are slim. New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu reassigned BIT-1344: Assignee: Johanna Amann (was: Vlad Grigorescu) New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Johanna Amann The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1344: --- Status: Merge Request (was: Open) New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Johanna Amann The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
On Mar 25, 2015, at 11:29 AM, Robin Sommer ro...@icir.org wrote: I would prefer staying with the well-known ports. I see the argument for signature-only, but it would be inconsistent with how the other analyzers works, making it hard to explain to people what's going on. And I don't expect much of a problem in terms of efficienicy for SSH. Ah, good point. I can see the argument to wait and do that all at once as yet another nail in the coffin of port-based-analysis. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1344: --- Ah, good point. I can see the argument to wait and do that all at once as yet another nail in the coffin of port-based-analysis. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Johanna Amann The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1344: --- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Johanna Amann The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20110#comment-20110 ] Johanna Amann commented on BIT-1344: Thanks. And no, I will just go over it while continuing the merge, I think I already removed most of them. New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Johanna Amann The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20108#comment-20108 ] Johanna Amann commented on BIT-1344: Hi, just a few small questions I stumbled accross while merging this: * is there a reason why you do not register the analyzer to port 22 by default? If I am not mistaken, the old one and basically all other protocol analyzers register to their well-known ports by default and just fail if they cannot parse the protocol. * currently some of the texts in different files still state that login success/failure is determined by heuristics. Should we leave that text in or is it safe if I remove if while merging? New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Johanna Amann The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1344: --- Status: Open (was: Merge Request) New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Johanna Amann The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20112#comment-20112 ] Johanna Amann commented on BIT-1344: I found a regression from master where the new SSH analyzer does not correctly identify the source and the destination for traces where it missed packets. Since the trace is private I will send you a followup per mail. New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Johanna Amann The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] grigorescu updated BIT-1344: Status: Merge Request (was: Open) New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: grigorescu The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
grigorescu created BIT-1344: --- Summary: New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: grigorescu The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer
[ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1344: -- Assignee: Johanna Amann New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: grigorescu Assignee: Johanna Amann The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
