SSH connection not recording entire flow correctly

Description

Making a connection out to a server via ssh does not write to conn.log while running with broctl but it does log to weird.log and ssh.log but nothing to conn.log.

While running bro -C -r ssh-port22.pcap, a partial log entry is listed with an incorrect and very low number of packets and bytes.

It was determined that disabling the SSH analyzer gets the correct conn.log output.

Analyzer::disable_analyzer(Analyzer::ANALYZER_SSH);

Testing on try.bro.org, 2.4+ and master has this problem but 2.3 and below it works as expected.

Attached is the SSH connection outbound pcap.

Environment

Ubuntu 14.04 LTS, myricom 10g capture card

Assignee

Johanna Amann

Reporter

Jason Carr

Labels

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal
Configure