[Bro] ssh successful logins appear as failed

Jesse Bowling jessebowling at gmail.com
Mon Jul 1 16:41:57 PDT 2013

Hi John,

First, take this with a grain of salt, as I'm not an expert on Bro but
expect if I'm incorrect about the below I'll be quickly corrected on-list.

I believe you're confused regarding the use of 'session' at both layer 3/4
and higher layers...SSH is using TCP, and a TCP session is certainly
established. What Bro is alerting on is how much data is exchanged in an
active SSH session (carried over the TCP session). In other words, since
SSH is encrypted after the initial key exchange, we can only guess if
someone is logging in and immediately exitiing, or trying to log in 3 times
and getting their session reset. This is the heuristic part. :)

Essentially a variable is defined that says "if you see X amount of
application data exchanged, assume the connection was successful,
otherwise, assume the connection failed".

Stated yet another way, Bro is attempting to guess whether someone was able
to provide the proper authentication based on how much application data is
transferred, not whether someone was able to successfully establish a TCP
session with the port.

The tricky part about this detection method is that you may run into
erroneous results in that someone who connects on the first login attempt
and then simply exits may exchange less application data than the limit
that is defined. So while they were in fact successful in logging in, Bro
falsely assumes that the session failed because so little data is

Sound right everyone? Make sense John?



On Mon, Jul 1, 2013 at 5:50 PM, John Babio <jbabio at po-box.esu.edu> wrote:

> Well here is what is interesting about it. I do a tcpdump and I see the
> traffic coming in the span port. I am not understanding why it thinks the
> sessions did not complete.
> ________________________________________
> From: Siwek, Jonathan Luke [jsiwek at illinois.edu]
> Sent: Monday, July 01, 2013 4:53 PM
> To: John Babio
> Cc: bro at bro.org
> Subject: Re: [Bro] ssh successful logins appear as failed
> On Jul 1, 2013, at 2:17 PM, John Babio <jbabio at po-box.esu.edu> wrote:
> > I was testing out the script from the manual. I was trying to figure out
> why the notice logs were not triggering. It turns out bro is seeing
> successful logins as failures. This is really odd.
> Typically, SSH user authentication protocol messages are already
> encrypted.  A third-party snooping on the exchange can't be 100% positive
> of the results.  See [1] for more on how Bro does it and for tuning
> options.  If you're just manually testing things out with your own SSH
> sessions, make sure to actually do some stuff in your session so Bro will
> see enough data exchanged to guess a success instead of failure.
> - Jon
> [1] http://bro.org/sphinx/scripts/base/protocols/ssh/main.html
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130701/3e361be6/attachment.html 

More information about the Bro mailing list