rare SSH successful login heuristic FPs

Description

During a bruteforce attack that made 27M attempted logins, 2 were flagged as successful by one instance of Bro monitoring the traffic, but not by another running an identical config on the same traffic stream. I wasn't able to reproduce the FPs from bulk traces of the event. Both instances were associated with two Weirds, "SYN_after_close" and "excessive_data_without_further_acks" that were otherwise quite rare in the traffic. This suggests that there's a flaw in the heuristic whereby it's analyzing traffic streams that have confused state. Perhaps an adequate fix is to track whether a given flow has experienced those Weirds, and if so, don't apply the heuristic to it.

Environment

None

Assignee

Unassigned

Reporter

Vern Paxson

Labels

None

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal
Configure