From ae3ae9a75b7092381a7a7717eb2daf99c6c3dd15 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Thu, 27 Oct 2011 09:41:34 -0400 Subject: [PATCH] Awful fix for SSH login detection. - We need a counted measure of payload bytes (not ack tracking and not with the IP header which is what we have now). --- scripts/base/protocols/ssh/main.bro | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 47472b985b..3a60244184 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -103,17 +103,23 @@ function check_ssh_connection(c: connection, done: bool) return; # Make sure conn_size_analyzer is active by checking - # resp$num_bytes_ip - if ( !c$resp?$num_bytes_ip ) + # resp$num_bytes_ip. In general it should always be active though. + if ( ! c$resp?$num_bytes_ip ) return; - local server_bytes = c$resp$num_bytes_ip - - c$resp$num_pkts*32 - # Cut the TCP header - c$resp$num_pkts*20; # Cut the IP header (TODO: fix for IPv6) + # Remove the IP and TCP header length from the total size. + # TODO: Fix for IPv6. This whole approach also seems to break in some + # cases where there are more header bytes than num_bytes_ip. + local header_bytes = c$resp$num_pkts*32 + c$resp$num_pkts*20; + local server_bytes = c$resp$num_bytes_ip; + if ( server_bytes >= header_bytes ) + server_bytes = server_bytes - header_bytes; + else + server_bytes = c$resp$size; - # If this is still a live connection and the byte count has not - # crossed the threshold, just return and let the resheduled check happen later. - if ( !done && server_bytes < authentication_data_size ) + # If this is still a live connection and the byte count has not crossed + # the threshold, just return and let the rescheduled check happen later. + if ( ! done && server_bytes < authentication_data_size ) return; # Make sure the server has sent back more than 50 bytes to filter out