Testing a fix for SSH login detection heuristic.

scripts/base/protocols/ssh/main.bro

@@ -107,21 +107,25 @@ function check_ssh_connection(c: connection, done: bool)
 	if ( !c$resp?$num_bytes_ip )
 		return;
 	
+	local server_bytes = c$resp$num_bytes_ip - 
+			c$resp$num_pkts*32 - # Cut the TCP header
+			c$resp$num_pkts*20;  # Cut the IP header (TODO: fix for IPv6)
+	
 	# If this is still a live connection and the byte count has not
 	# crossed the threshold, just return and let the resheduled check happen later.
-	if ( !done && c$resp$num_bytes_ip < authentication_data_size )
+	if ( !done && server_bytes < authentication_data_size )
 		return;
 
 	# Make sure the server has sent back more than 50 bytes to filter out
 	# hosts that are just port scanning.  Nothing is ever logged if the server
 	# doesn't send back at least 50 bytes.
-	if ( c$resp$num_bytes_ip < 50 )
+	if ( server_bytes < 50 )
 		return;
 
 	c$ssh$direction = Site::is_local_addr(c$id$orig_h) ? OUTBOUND : INBOUND;
-	c$ssh$resp_size = c$resp$num_bytes_ip;
+	c$ssh$resp_size = server_bytes;
 	
-	if ( c$resp$num_bytes_ip < authentication_data_size )
+	if ( server_bytes < authentication_data_size )
 		{
 		c$ssh$status  = "failure";
 		event SSH::heuristic_failed_login(c);