From e6a8489780c985b6a541ece97442e639c2dfb122 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 25 Oct 2011 00:01:04 -0400
Subject: [PATCH] Testing a fix for SSH login detection heuristic.

---
 scripts/base/protocols/ssh/main.bro | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro
index 95d68fe438..47472b985b 100644
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@@ -107,21 +107,25 @@ function check_ssh_connection(c: connection, done: bool)
 	if ( !c$resp?$num_bytes_ip )
 		return;
 	
+	local server_bytes = c$resp$num_bytes_ip - 
+			c$resp$num_pkts*32 - # Cut the TCP header
+			c$resp$num_pkts*20;  # Cut the IP header (TODO: fix for IPv6)
+	
 	# If this is still a live connection and the byte count has not
 	# crossed the threshold, just return and let the resheduled check happen later.
-	if ( !done && c$resp$num_bytes_ip < authentication_data_size )
+	if ( !done && server_bytes < authentication_data_size )
 		return;
 
 	# Make sure the server has sent back more than 50 bytes to filter out
 	# hosts that are just port scanning.  Nothing is ever logged if the server
 	# doesn't send back at least 50 bytes.
-	if ( c$resp$num_bytes_ip < 50 )
+	if ( server_bytes < 50 )
 		return;
 
 	c$ssh$direction = Site::is_local_addr(c$id$orig_h) ? OUTBOUND : INBOUND;
-	c$ssh$resp_size = c$resp$num_bytes_ip;
+	c$ssh$resp_size = server_bytes;
 	
-	if ( c$resp$num_bytes_ip < authentication_data_size )
+	if ( server_bytes < authentication_data_size )
 		{
 		c$ssh$status  = "failure";
 		event SSH::heuristic_failed_login(c);