[Bro] Hui Lin_SSH Analyzer

Hui Lin (Hugo) hlin33 at illinois.edu
Mon Jun 18 09:25:03 PDT 2012

On Mon, Jun 18, 2012 at 10:29 AM, Seth Hall <seth at icir.org> wrote:

> On Jun 18, 2012, at 10:35 AM, Hui Lin (Hugo) wrote:
> > When I test these two events with the default implementation, I find
> that the log file always record a failed ssh log in to the system even if I
> log in correctly by user/authentication. I want to check when these two
> events are called, but I could not find ssh analyzer binpac code.
> Those are script-land events.  Currently all events generated by core code
> (typically the analyzers) are defined in events.bif. You can see in the SSH
> scripts where those events are generated.

It seems that these two events are included in event.bif.bro any more.

> The reason you're seeing a false positive is because the SSH successful
> login code uses a heuristic to guess if the login was successful or not and
> sometimes it's wrong

> > so I am wondering, how can I correctly record the ssh log in with
> user/password authentication and with the user name logged in plain text.
> That information is encrypted in SSH.

I see.

I accidentally find that there is also syslog policy in Bro. I know that
SSH login to the host machine will be logged in auth.log. I am wondering
whether Bro can log the SSH login through the syslog policy. At least, I am
not successful in my test.

>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120618/9ce00334/attachment.html 

More information about the Bro mailing list