[Bro] Notice.log logs a Password_Guessing attempt but no logs in conn.log

fatema bannatwala fatema.bannatwala at gmail.com
Fri Jul 1 14:28:49 PDT 2016


So I had a weird situation at work today.
The notice.log file logged an IP for "SSH::Password_Guessing" with note as
" appears to be guessing SSH passwords (seen in 53 connections)".

But when I check conn.log file during that time period and grep that IP, I
just see single ssh established connection from that IP. I was assuming to
get 53 bad ssh connections logged in conn.lo file.

What am I missing here?
How can I confirm whether that IP was actually doing a SSH password
guessing attempt?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160701/f578495a/attachment.html 

More information about the Bro mailing list