[Bro] ssh successful logins appear as failed

John Babio jbabio at po-box.esu.edu
Mon Jul 1 14:50:20 PDT 2013

Well here is what is interesting about it. I do a tcpdump and I see the traffic coming in the span port. I am not understanding why it thinks the sessions did not complete.

From: Siwek, Jonathan Luke [jsiwek at illinois.edu]
Sent: Monday, July 01, 2013 4:53 PM
To: John Babio
Cc: bro at bro.org
Subject: Re: [Bro] ssh successful logins appear as failed

On Jul 1, 2013, at 2:17 PM, John Babio <jbabio at po-box.esu.edu> wrote:

> I was testing out the script from the manual. I was trying to figure out why the notice logs were not triggering. It turns out bro is seeing successful logins as failures. This is really odd.

Typically, SSH user authentication protocol messages are already encrypted.  A third-party snooping on the exchange can't be 100% positive of the results.  See [1] for more on how Bro does it and for tuning options.  If you're just manually testing things out with your own SSH sessions, make sure to actually do some stuff in your session so Bro will see enough data exchanged to guess a success instead of failure.

- Jon

[1] http://bro.org/sphinx/scripts/base/protocols/ssh/main.html

More information about the Bro mailing list