[Bro] Bro install on new machine - SSH logging broken

Nicholas Siow n.siow at wustl.edu
Thu Oct 31 10:58:49 PDT 2013

Hello all,

We recently did a fresh install of Bro 2.1 on a new machine as per the
quick start guide. This machine has been watching traffic for about a week
now and all of the logs seem to be fine except for the SSH logs, which have
the following problems.

1) These logs are not adding geo-location information. The MaxMind
databases were installed and put in the proper location, and a quick bro
script that called the lookup_location() function seems to be working fine
in retrieving this information. However, none of this information is
logged, even for heuristically successful connections.

2) About half of the entries in the SSH log have a status of
"undetermined". This is not something we saw before on our older machine,
where every entry was listed as either a 'success' or 'failure' in the
status column.

3) The "resp_size" field of *every* entry is 0. Once again, this is not
something that we have seen before.

I should also mention that we have an older machine watching the exactly
same network as this one (though with a smaller network card) and that one
seems to be picking up on SSH traffic fine. Any idea what's going on here?

Thank you,
N. Siow
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131031/1b2a4b97/attachment.html 

More information about the Bro mailing list