[Bro] SSH Geodata Lookup Failures in 2.5

Jason Holmes jholmes at psu.edu
Mon Dec 12 13:28:03 PST 2016


Since upgrading to Bro 2.5, we've seen some odd behavior with the 
geodata lookups in the SSH logs.  In particular, the remote_location.* 
fields in the SSH logs are always missing the geodata when auth_success 
is true.  For example, here are stats for a day running 2.4-709 and a 
day running 2.5:

Bro version, auth_success, country_code logged, country_code not logged
2.4-709, T,  22169,    26
2.4-709, F, 167400,    10
2.5,     T,      0, 23120
2.5,     F, 247183,    16

Can anyone confirm that they are also seeing this behavior?  I.e., that 
with 2.5 there is no geodata for successful SSH connections?

To confound matters, I looked in the policy/protocols/ssh/geo-data.bro 
files and I see that when auth_success is true, it's not only supposed 
to try to log the geodata information, it's also supposed to print a 
entry in the notice log if the country code that is looked up matches a 
country code code in the watch list.  Here's an example where a notice 
was logged but the SSH log still doesn't have geodata in it.  Based on 
the code in geo-data.bro, the country code would have had to have been 
looked up for the notice to be printed, so this seems to indicate that 
the lookup is successful but it's just not making it to the ssh log.

1481518954.665457	CknPAX2R85O0gumn	50972	128.XXX.XXX.XXX 
22	2	T	1	INBOUND	SSH-2.0-PuTTY_Snapshot_2016_11_20.09b7497 
SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none 
diffie-hellman-group-exchange-sha256	ssh-rsa 
b6:65:5c:8d:8b:8d:dc:bb:05:58:0d:9e:25:1e:da:37	-	-	-	-	-

1481519053.725294	CknPAX2R85O0gumn	50972	128.XXX.XXX.XXX 
22	-	-	-	tcp	SSH::Watched_Country_Login	SSH login from watched country: 
CN	-	128.XXX.XXX.XXX	22	-	worker-3-11	Notice::ACTION_LOG 
3600.000000	F	-	-	-	-	-


Jason Holmes

More information about the Bro mailing list