[Bro] Hui Lin_SSH Analyzer

Seth Hall seth at icir.org
Mon Jun 18 08:29:39 PDT 2012

On Jun 18, 2012, at 10:35 AM, Hui Lin (Hugo) wrote:

> When I test these two events with the default implementation, I find that the log file always record a failed ssh log in to the system even if I log in correctly by user/authentication. I want to check when these two events are called, but I could not find ssh analyzer binpac code. 

Those are script-land events.  Currently all events generated by core code (typically the analyzers) are defined in events.bif. You can see in the SSH scripts where those events are generated.

The reason you're seeing a false positive is because the SSH successful login code uses a heuristic to guess if the login was successful or not and sometimes it's wrong.

> so I am wondering, how can I correctly record the ssh log in with user/password authentication and with the user name logged in plain text. 

That information is encrypted in SSH.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list