[Bro] Hui Lin_SSH Analyzer
seth at icir.org
Mon Jun 18 09:44:12 PDT 2012
On Jun 18, 2012, at 12:25 PM, Hui Lin (Hugo) wrote:
> It seems that these two events are included in event.bif.bro any more.
They never were included in that file since they aren't events from the core.
> I accidentally find that there is also syslog policy in Bro. I know that SSH login to the host machine will be logged in auth.log. I am wondering whether Bro can log the SSH login through the syslog policy. At least, I am not successful in my test.
That's for analyzing the syslog protocol, you just have to make sure that the host sniffing traffic would see the syslog traffic or you could use the input framework from the upcoming Bro 2.1 (it's in the the master branch already) to read the log file in directly if it's on some host in your cluster.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro