[Bro] Understanding Connection history for ssh.

fatema bannatwala fatema.bannatwala at gmail.com
Mon Oct 10 10:37:31 PDT 2016

Hi Bro team,

I am trying to understand the 'history' field in conn.log for failed and
successful ssh logins.
Can we tell by looking into it whether the ssh connection was successful or

For ex: We had a case today where bro-intel flagged an IP to be bad with
85% confidence rate, and when we saw the conn.log corresponding to that
uid, we saw that, that IP was trying to ssh into a machine.
Now the question is, can we tell by looking at the history - ShAdDa that
the ssh was successful?

intel.log entry
1476046696.592070   CXs7MT25xi6ykmT3o1   *   50367   x.y.z.k
22* - - -   Intel::ADDR   *SSH::SUCCESSFUL_LOGIN*   worker-3-4
  dataplane.org 85.0 scanner

conn.log entry
1476046725.508913   CXs7MT25xi6ykmT3o1   *   50367   ** x.y.z.k**
 22*   tcp ssh 10.623538   1383   1843   S1   F   T   0  * ShAdDa*   15
2171 15 2631 (empty)

ssh.log entry
1476046725.634328       CXs7MT25xi6ykmT3o1      **    50367
*x.y.z.k*    22      2       T       INBOUND SSH-2.0-libssh2_1.7.0
SSH-2.0-1.82 sshlib: WinSSHD 4.27     aes256-cbc      hmac-sha1       none
   diffie-hellman-group1-sha1      ssh-dss
b9:93:6a:61:8d:29:01:ec:aa:01:1f:0e:90:0a:7b:6e CZ      84      Prerov
                             49.453899       17.4524

Also, what does the conn history would look like in case of failed ssh

Thanks for the help.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161010/4b934caf/attachment.html 

More information about the Bro mailing list