[Bro] Understanding Connection history for ssh.
fatema.bannatwala at gmail.com
Mon Oct 10 10:37:31 PDT 2016
Hi Bro team,
I am trying to understand the 'history' field in conn.log for failed and
successful ssh logins.
Can we tell by looking into it whether the ssh connection was successful or
For ex: We had a case today where bro-intel flagged an IP to be bad with
85% confidence rate, and when we saw the conn.log corresponding to that
uid, we saw that, that IP was trying to ssh into a machine.
Now the question is, can we tell by looking at the history - ShAdDa that
the ssh was successful?
1476046696.592070 CXs7MT25xi6ykmT3o1 *188.8.131.52 50367 x.y.z.k
22* - - - 184.108.40.206 Intel::ADDR *SSH::SUCCESSFUL_LOGIN* worker-3-4
dataplane.org 85.0 scanner
1476046725.508913 CXs7MT25xi6ykmT3o1 *220.127.116.11 50367 ** x.y.z.k**
22* tcp ssh 10.623538 1383 1843 S1 F T 0 * ShAdDa* 15
2171 15 2631 (empty)
1476046725.634328 CXs7MT25xi6ykmT3o1 *18.104.22.168* 50367
*x.y.z.k* 22 2 T INBOUND SSH-2.0-libssh2_1.7.0
SSH-2.0-1.82 sshlib: WinSSHD 4.27 aes256-cbc hmac-sha1 none
b9:93:6a:61:8d:29:01:ec:aa:01:1f:0e:90:0a:7b:6e CZ 84 Prerov
Also, what does the conn history would look like in case of failed ssh
Thanks for the help.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro