[Bro] SSH heuristic

Benson Mathews benson.mathews at gmail.com
Tue Sep 17 13:55:57 PDT 2013


Makes sense. Thanks for the response!


On Fri, Sep 13, 2013 at 1:47 PM, Alex Waher <alexwis at gmail.com> wrote:

> Right, if the ssh connection's response bytes are above this threshold
> it'll log the session as having a successful login. If you have a large
> pre-auth login banner (usually for compliance reasons) it will very likely
> report as a false positive.
>
>
> On Fri, Sep 13, 2013 at 9:42 AM, Oehlert, Samuel <soehlert at illinois.edu>wrote:
>
>>  For the first part, that "5725" is the number of response bytes. The
>> threshold for what is considered successful is: const
>> authentication_data_size, which can be found in:
>> /bro/share/bro/base/protocols/ssh and I believe it's default value was
>> either 5000 or 5500 on 2.0. Though if you want to redef this you'll want to
>> do it elsewhere such as your local.bro. Seth spent lots of time figuring
>> out the best threshold, but it is still only a guess based on bytes, so
>> there will be false positives. We find that many of them just around 5000
>> bytes were false positives.
>>
>> I don't know about your second part off the top of my head.
>>
>> -Sam
>>
>>
>>
>>
>> On 9/13/13 10:28 AM, Benson Mathews wrote:
>>
>> I had a question about the SSH analyzer and how it determines a
>> successful connection. I have a bro notification for a successful SSH login
>> to a system on my network for a connection originating from outside US. Log
>> entry:
>> conn.log    2013-09-01 10:04:31     KIDipWlFWSi     y.y.y.y  40014
>> x.x.x.x  22      tcp     ssh     147.140508      1160    2377    S3
>> F       0       ShAadDf 21      2664    48      8221
>> ssh.log    2013-09-01 10:04:33     KIDipWlFWSi     y.y.y.y  40014
>> x.x.x.x  22      success INBOUND SSH-2.0-libssh-0.2
>> SSH-2.0-OpenSSH_5.9     5725    CN      -       -       -       -
>>
>> The log entry is dated on the 1st and my client side logs have rolled
>> over, so I can't valid this with syslog on the client.
>>
>> I wanted to check if there's a chance this could be a false positive.
>> Also, the switch providing the feed itself is dropping packets and I see
>> alerts for CaptureLoss::Too_Much_Loss and PacketFilter::Dropped_Packets.
>>
>> Would this loss cause Bro to misinterpret a brute forcing/scan attempt to
>> a successful login?
>>
>> I'm running Bro 2.0.
>>
>>
>> _______________________________________________
>> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>> --
>> Sam Oehlert
>> Security Engineer
>> NCSAsoehlert at illinois.edu(217)300-1076
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130917/552e3853/attachment.html 


More information about the Bro mailing list