[Bro] Question on quick start documentation SSH:Login example.
jsiwek at illinois.edu
Wed Aug 6 14:35:15 PDT 2014
On Aug 6, 2014, at 3:33 PM, nithen <nithen at gmail.com> wrote:
> So here is an extract of the ssh.log:
> 1407355776.833081 CNjybf25kbwTIpD9D6 192.168.88.2 58904 192.168.88.101 22 undetermined INBOUND SSH-2.0-MEDUSA_1.0 - - -
The “undetermined” is saying it doesn’t even have a guess as to whether the ssh log in failed or was successful so either type of analysis you’ve tried so far won’t notice anything interesting happening because they’re only concerned about ssh logins with a status of “success” or “failure". I suggest trying to read scripts/base/protocols/ssh/main.bro and understand the criteria it uses to flip the login status to either “failure” or “success”, then try to look at conn.log to see which criteria aren’t being met.
More information about the Bro