[Bro] Notice.log logs a Password_Guessing attempt but no logs in conn.log
johanna at icir.org
Fri Jul 8 09:18:22 PDT 2016
you actually managed to stumble accross a bug here - apparently the event
that we use to determine when password guessing occurs can be raised
several times in the same connection (which probably is an error).
I filed a ticket for this, if you want you can track the progress at
On Fri, Jul 01, 2016 at 05:28:49PM -0400, fatema bannatwala wrote:
> So I had a weird situation at work today.
> The notice.log file logged an IP for "SSH::Password_Guessing" with note as
> "184.108.40.206 appears to be guessing SSH passwords (seen in 53 connections)".
> But when I check conn.log file during that time period and grep that IP, I
> just see single ssh established connection from that IP. I was assuming to
> get 53 bad ssh connections logged in conn.lo file.
> What am I missing here?
> How can I confirm whether that IP was actually doing a SSH password
> guessing attempt?
> Bro mailing list
> bro at bro-ids.org
More information about the Bro