[Bro] SSH Login Notices - Filter out internal to internal connections

Mike Kolkebeck mkolkebeck at gmail.com
Fri Nov 16 20:11:03 PST 2012

SSH::Login Notices for internal to internal connections can get fairly

What is the most efficient way to filter out these notices for internal to
internal without filtering for external connections?

I was thinking of ignoring the SSH::Login notices altogether, but then I
believe I need to add a new Notice Type and fire a new notice on event
SSH::heuristic_successful_login.  See example code below.

Is there a more efficient way of doing this?  I know editing the base ssh
bro script is a big no-no.


redef enum Notice::Type += {

# This is our list of internal addresses to exclude
global ssh_ignore: set[subnet] = {,      # internal 1,              # internal 2

# Ignore SSH::Login Notice Type
redef Notice::ignored_types += { SSH::Login };

# Add new Notice Type to successful login
event SSH::heuristic_successful_login(c: connection) &priority=0
                if ( c$id$resp_h !in ssh_ignore ) {
                        $msg="Heuristically detected successful SSH login.",
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121116/104aceaa/attachment.html 

More information about the Bro mailing list