[Bro] SSH heuristic

Benson Mathews benson.mathews at gmail.com
Fri Sep 13 08:28:53 PDT 2013

I had a question about the SSH analyzer and how it determines a successful
connection. I have a bro notification for a successful SSH login to a
system on my network for a connection originating from outside US. Log
conn.log    2013-09-01 10:04:31     KIDipWlFWSi     y.y.y.y  40014
x.x.x.x  22      tcp     ssh     147.140508      1160    2377    S3
F       0       ShAadDf 21      2664    48      8221
ssh.log    2013-09-01 10:04:33     KIDipWlFWSi     y.y.y.y  40014
x.x.x.x  22      success INBOUND SSH-2.0-libssh-0.2
SSH-2.0-OpenSSH_5.9     5725    CN      -       -       -       -

The log entry is dated on the 1st and my client side logs have rolled over,
so I can't valid this with syslog on the client.

I wanted to check if there's a chance this could be a false positive. Also,
the switch providing the feed itself is dropping packets and I see alerts
for CaptureLoss::Too_Much_Loss and PacketFilter::Dropped_Packets.

Would this loss cause Bro to misinterpret a brute forcing/scan attempt to a
successful login?

I'm running Bro 2.0.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130913/c295a460/attachment.html 

More information about the Bro mailing list