[Bro] Question on quick start documentation SSH:Login example.

nithen nithen at gmail.com
Wed Aug 6 13:33:54 PDT 2014

Thank you Jon and Justin. I really appreciate your help!

Jon, I could not get your script working - so I took a step back to
check my installation. I wanted to confirm that my default scripts

I setup the following lab:

Kali Linux -> Bro SPAN -> Metasploitable

Using: FreeBSD + Bro 2.3 (compiled from source)

Test: trigger /usr/local/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro

Verified: loaded_scripts.log (script is loaded), ssh.log (ssh login
attempts there).

So here is an extract of the ssh.log:
1407355776.833081	CNjybf25kbwTIpD9D6	58904	22	undetermined	INBOUND	SSH-2.0-MEDUSA_1.0	-	-	-
1407355784.647680	CGYsSAwShJeTcT2t8	58905	22	undetermined	INBOUND	SSH-2.0-MEDUSA_1.0	-	-	-

I checked the threshold in the Bro script:
const password_guesses_limit: double = 30

I hit the SSH server over 500 incorrect root logins - however no alerts noted.

Any ideas on where I should start investigating? Do you require more

Thank you,

More information about the Bro mailing list