[Bro] SSH heuristic
alexwis at gmail.com
Fri Sep 13 10:47:10 PDT 2013
Right, if the ssh connection's response bytes are above this threshold
it'll log the session as having a successful login. If you have a large
pre-auth login banner (usually for compliance reasons) it will very likely
report as a false positive.
On Fri, Sep 13, 2013 at 9:42 AM, Oehlert, Samuel <soehlert at illinois.edu>wrote:
> For the first part, that "5725" is the number of response bytes. The
> threshold for what is considered successful is: const
> authentication_data_size, which can be found in:
> /bro/share/bro/base/protocols/ssh and I believe it's default value was
> either 5000 or 5500 on 2.0. Though if you want to redef this you'll want to
> do it elsewhere such as your local.bro. Seth spent lots of time figuring
> out the best threshold, but it is still only a guess based on bytes, so
> there will be false positives. We find that many of them just around 5000
> bytes were false positives.
> I don't know about your second part off the top of my head.
> On 9/13/13 10:28 AM, Benson Mathews wrote:
> I had a question about the SSH analyzer and how it determines a successful
> connection. I have a bro notification for a successful SSH login to a
> system on my network for a connection originating from outside US. Log
> conn.log 2013-09-01 10:04:31 KIDipWlFWSi y.y.y.y 40014
> x.x.x.x 22 tcp ssh 147.140508 1160 2377 S3
> F 0 ShAadDf 21 2664 48 8221
> ssh.log 2013-09-01 10:04:33 KIDipWlFWSi y.y.y.y 40014
> x.x.x.x 22 success INBOUND SSH-2.0-libssh-0.2
> SSH-2.0-OpenSSH_5.9 5725 CN - - - -
> The log entry is dated on the 1st and my client side logs have rolled
> over, so I can't valid this with syslog on the client.
> I wanted to check if there's a chance this could be a false positive.
> Also, the switch providing the feed itself is dropping packets and I see
> alerts for CaptureLoss::Too_Much_Loss and PacketFilter::Dropped_Packets.
> Would this loss cause Bro to misinterpret a brute forcing/scan attempt to
> a successful login?
> I'm running Bro 2.0.
> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> Sam Oehlert
> Security Engineer
> NCSAsoehlert at illinois.edu(217)300-1076
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro