> On Aug 26, 2014, at 5:02 PM, Vlad Grigorescu <[email protected]> wrote: > > The specific issue is that the jump in seq numbers between the first and > second connection cause Bro to think that a lot of traffic was simply missed. > This leads to false positives with the SSH heuristic, since now the byte > total is over the threshold.
As a workaround you may be able to filter out such cases by checking whether connection records report missing data and a history string with more than one handshake? > Digging into this, I realize it wasn't as closely related to this ticket as I > thought, so let me know if I should file a new ticket for this. Yeah, make a ticket. - Jon _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
