Incorrect size calculation for SSH failed/successful heuristic

Description

We're getting a lot of false positives for successful SSH logins from a source that we recently blackholed. I suspect what's happening is that the retransmissions keep bumping up the size of the connection, until it crosses the threshold for a "successful" connection.

With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it possible to improve the accuracy of the reported size?

Environment

None

Assignee

Unassigned

Reporter

Vlad Grigorescu

Labels

None

External issue ID

947

Components

Fix versions

Affects versions

Priority

Low
Configure