[Bro] Hui Lin_SSH Analyzer

Seth Hall seth at icir.org
Mon Jun 18 09:44:12 PDT 2012

On Jun 18, 2012, at 12:25 PM, Hui Lin (Hugo) wrote:

> It seems that these two events are included in event.bif.bro any more.

They never were included in that file since they aren't events from the core.

> I accidentally find that there is also syslog policy in Bro. I know that SSH login to the host machine will be logged in auth.log. I am wondering whether Bro can log the SSH login through the syslog policy. At least, I am not successful in my test. 

That's for analyzing the syslog protocol, you just have to make sure that the host sniffing traffic would see the syslog traffic or you could use the input framework from the upcoming Bro 2.1 (it's in the the master branch already) to read the log file in directly if it's on some host in your cluster.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list