<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">So recently I saw an SSH login to a device from outside the US. I reported it to the end system admin. The Zeek log set the auth_success state to true, but the admin of the box claims no successful login and is pushing back that it is a false positive. <div class=""><br class=""></div><div class="">Have other Zeek users ever seen this? Is the SSH auth state detection mistaken here?<div class="">I don’t have pcaps to verify one way to the other, sadly.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">{"_path":"ssh","_system_name":"corelight","_write_ts":"2019-09-12T22:26:32.106142Z","ts":"2019-09-12T22:26:31.226136Z","uid":"C95i0o2Jl77LXHb2R9","id.orig_h”:”x.x.x.x","id.orig_p":49670,"id.resp_h”:”x.x.x.x","id.resp_p":22,"version":2,"auth_success":true,"auth_attempts":1,"direction":"INBOUND","client":"SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4","server":"SSH-2.0-OpenSSH_7.4","cipher_alg":"<a href="mailto:chacha20-poly1305@openssh.com" class="">chacha20-poly1305@openssh.com</a>","mac_alg":"<a href="mailto:umac-64-etm@openssh.com" class="">umac-64-etm@openssh.com</a>","compression_alg":"none","kex_alg":"<a href="mailto:curve25519-sha256@libssh.org" class="">curve25519-sha256@libssh.org</a>","host_key_alg":"ecdsa-sha2-nistp256","host_key":"68:1e:68:89:5e:e5:20:72:f7:e6:bf:21:de:07:3a:b1”}</div><div class=""><br class=""></div><div class="">Can anyone shed light on this?</div><div class=""><br class=""></div><div class="">Thanks</div><div class="">Jeff</div><div class=""><br class=""></div><div class=""><br class=""><div class="">
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 18px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">Jeffrey Collyer<br class="">Information Security Engineer<br class="">University of Virginia<br class=""><a href="mailto:jwc3f@virginia.edu" class="">jwc3f@virginia.edu</a><br class=""></div></div></div></div></body></html>