On Aug 26, 2014, at 5:02 PM, Vlad Grigorescu
The specific issue is that the jump in seq numbers between the first and second
connection cause Bro to think that a lot of traffic was simply missed. This leads to false
positives with the SSH heuristic, since now the byte total is over the threshold.
As a workaround you may be able to filter out such cases by checking whether connection
records report missing data and a history string with more than one handshake?
Digging into this, I realize it wasn't as closely
related to this ticket as I thought, so let me know if I should file a new ticket for
Yeah, make a ticket.