[Bro] Hui Lin_SSH Analyzer
Hui Lin (Hugo)
hlin33 at illinois.edu
Mon Jun 18 09:25:03 PDT 2012
On Mon, Jun 18, 2012 at 10:29 AM, Seth Hall <seth at icir.org> wrote:
> On Jun 18, 2012, at 10:35 AM, Hui Lin (Hugo) wrote:
> > When I test these two events with the default implementation, I find
> that the log file always record a failed ssh log in to the system even if I
> log in correctly by user/authentication. I want to check when these two
> events are called, but I could not find ssh analyzer binpac code.
> Those are script-land events. Currently all events generated by core code
> (typically the analyzers) are defined in events.bif. You can see in the SSH
> scripts where those events are generated.
It seems that these two events are included in event.bif.bro any more.
> The reason you're seeing a false positive is because the SSH successful
> login code uses a heuristic to guess if the login was successful or not and
> sometimes it's wrong
> > so I am wondering, how can I correctly record the ssh log in with
> user/password authentication and with the user name logged in plain text.
> That information is encrypted in SSH.
I accidentally find that there is also syslog policy in Bro. I know that
SSH login to the host machine will be logged in auth.log. I am wondering
whether Bro can log the SSH login through the syslog policy. At least, I am
not successful in my test.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro