[Bro] Question on quick start documentation SSH:Login example.
jlay at slave-tothe-box.net
Wed Aug 6 13:45:50 PDT 2014
On 2014-08-06 14:33, nithen wrote:
> Thank you Jon and Justin. I really appreciate your help!
> Jon, I could not get your script working - so I took a step back to
> check my installation. I wanted to confirm that my default scripts
> I setup the following lab:
> Kali Linux -> Bro SPAN -> Metasploitable
> Using: FreeBSD + Bro 2.3 (compiled from source)
> Test: trigger
> Verified: loaded_scripts.log (script is loaded), ssh.log (ssh login
> attempts there).
> So here is an extract of the ssh.log:
> 1407355776.833081 CNjybf25kbwTIpD9D6 192.168.88.2 58904 192.168.88.101 22 undetermined INBOUND SSH-2.0-MEDUSA_1.0 - - -
> 1407355784.647680 CGYsSAwShJeTcT2t8 192.168.88.2 58905 192.168.88.101 22 undetermined INBOUND SSH-2.0-MEDUSA_1.0 - - -
> I checked the threshold in the Bro script:
> const password_guesses_limit: double = 30
> I hit the SSH server over 500 incorrect root logins - however no
> alerts noted.
> Any ideas on where I should start investigating? Do you require more
> Thank you,
> Bro mailing list
> bro at bro-ids.org
From the script:
# Generate the notice.
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d
connections).", key$host, r$num),
Would that be in the ssh.log or the notice.log?
More information about the Bro