[
https://bro-tracker.atlassian.net/browse/BIT-1545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24705#comment-24705
]
Johanna Amann commented on BIT-1545:
------------------------------------
I talked to Robin - and was mistaken, most of these cases are actually not a
problem because the analyzers only disable themselves, not the root-analyzer.
We still should fix the current behavior someday - for example by adding a
field to the connection history that the size counting was disabled for the
rest of this connection. This will potentially become even more interesting
with the addition of the netcontrol framework, which also should somehow signal
that connections have been shunted (currently, it is not really doing that).
> SSH connection not recording entire flow correctly
> --------------------------------------------------
>
> Key: BIT-1545
> URL: https://bro-tracker.atlassian.net/browse/BIT-1545
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.4
> Environment: Ubuntu 14.04 LTS, myricom 10g capture card
> Reporter: Jason Carr
> Labels: logging
> Fix For: 2.5
>
> Attachments: ssh-port22.pcap
>
>
> Making a connection out to a server via ssh does not write to conn.log while
> running with broctl but it does log to weird.log and ssh.log but nothing to
> conn.log.
> While running bro -C -r ssh-port22.pcap, a partial log entry is listed with
> an incorrect and very low number of packets and bytes.
> It was determined that disabling the SSH analyzer gets the correct conn.log
> output.
> Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);
> Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it
> works as expected.
> Attached is the SSH connection outbound pcap.
--
This message was sent by Atlassian JIRA
(v7.2.0-OD-03-012#72000)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
