[Bro] Bro install on new machine - SSH logging broken

James Lay jlay at slave-tothe-box.net
Thu Oct 31 18:15:32 PDT 2013

For what it’s worth, I only see 0 response on mine…but I don’t see the other two symptoms.


On Oct 31, 2013, at 12:25 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> On 2013-10-31 11:58, Nicholas Siow wrote:
>> Hello all,
>> We recently did a fresh install of Bro 2.1 on a new machine as per 
>> the
>> quick start guide. This machine has been watching traffic for about a
>> week now and all of the logs seem to be fine except for the SSH logs,
>> which have the following problems.
>> 1) These logs are not adding geo-location information. The MaxMind
>> databases were installed and put in the proper location, and a quick
>> bro script that called the lookup_location() function seems to be
>> working fine in retrieving this information. However, none of this
>> information is logged, even for heuristically successful connections.
>> 2) About half of the entries in the SSH log have a status of
>> "undetermined". This is not something we saw before on our older
>> machine, where every entry was listed as either a success or failure
>> in the status column.
>> 3) The "resp_size" field of EVERY entry is 0. Once again, this is not
>> something that we have seen before.
>> I should also mention that we have an older machine watching the
>> exactly same network as this one (though with a smaller network card)
>> and that one seems to be picking up on SSH traffic fine. Any idea
>> whats going on here?
>> Thank you,
>> N. Siow
> Run without checksums and see if you notice a difference:
> broctl.cfg
> <snip>
> broargs = --no-checksums
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131031/d4577392/attachment.html 

More information about the Bro mailing list