<div dir="ltr"><div>Hi Jeffrey,</div><div><br></div><div>The SSH detection /should/ be fairly solid. I really tried to err on the side of caution, and to not make a determination if there was some room for doubt.</div><div><br></div><div>I haven't heard any reports about what specifically might cause a false positive, but I would guess: some uncommon SSH option (e.g. a large banner?) or some aggressive TCP settings.</div><div><br></div><div>If you can duplicate this by trying to login against this server, and could share an anonymized PCAP, I'll work updating the analyzer.</div><div><br></div><div>Thanks,</div><div><br></div><div> --Vlad<br></div><div><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 16, 2019 at 7:17 PM Jim Mellander <<a href="mailto:jmellander@lbl.gov">jmellander@lbl.gov</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-family:arial,helvetica,sans-serif">Since Zeek only sees the encrypted traffic of an ssh session, it can only make a best-guess based on packet-size analysis, which is not necessarily going to be 100% accurate.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 16, 2019 at 11:24 AM Collyer, Jeffrey W (jwc3f) <<a href="mailto:jwc3f@virginia.edu" target="_blank">jwc3f@virginia.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>So recently I saw an SSH login to a device from outside the US. I reported it to the end system admin. The Zeek log set the auth_success state to true, but the admin of the box claims no successful login and is pushing back that it is a false positive. <div><br></div><div>Have other Zeek users ever seen this? Is the SSH auth state detection mistaken here?<div>I don’t have pcaps to verify one way to the other, sadly.</div><div><br></div><div><br></div><div>{"_path":"ssh","_system_name":"corelight","_write_ts":"2019-09-12T22:26:32.106142Z","ts":"2019-09-12T22:26:31.226136Z","uid":"C95i0o2Jl77LXHb2R9","id.orig_h”:”x.x.x.x","id.orig_p":49670,"id.resp_h”:”x.x.x.x","id.resp_p":22,"version":2,"auth_success":true,"auth_attempts":1,"direction":"INBOUND","client":"SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4","server":"SSH-2.0-OpenSSH_7.4","cipher_alg":"<a href="mailto:chacha20-poly1305@openssh.com" target="_blank">chacha20-poly1305@openssh.com</a>","mac_alg":"<a href="mailto:umac-64-etm@openssh.com" target="_blank">umac-64-etm@openssh.com</a>","compression_alg":"none","kex_alg":"<a href="mailto:curve25519-sha256@libssh.org" target="_blank">curve25519-sha256@libssh.org</a>","host_key_alg":"ecdsa-sha2-nistp256","host_key":"68:1e:68:89:5e:e5:20:72:f7:e6:bf:21:de:07:3a:b1”}</div><div><br></div><div>Can anyone shed light on this?</div><div><br></div><div>Thanks</div><div>Jeff</div><div><br></div><div><br><div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:18px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">Jeffrey Collyer<br>Information Security Engineer<br>University of Virginia<br><a href="mailto:jwc3f@virginia.edu" target="_blank">jwc3f@virginia.edu</a><br></div></div></div></div></div>_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div></div>