[Bro] Understanding Connection history for ssh.
jlay at slave-tothe-box.net
Mon Oct 10 11:11:49 PDT 2016
On 2016-10-10 11:37, fatema bannatwala wrote:
> Hi Bro team,
> I am trying to understand the 'history' field in conn.log for failed
> and successful ssh logins.
> Can we tell by looking into it whether the ssh connection was
> successful or not?
> For ex: We had a case today where bro-intel flagged an IP to be bad
> with 85% confidence rate, and when we saw the conn.log corresponding
> to that uid, we saw that, that IP was trying to ssh into a machine.
> Now the question is, can we tell by looking at the history - ShAdDa
> that the ssh was successful?
> intel.log entry
> 1476046696.592070 CXs7MT25xi6ykmT3o1 184.108.40.206 50367
> X.Y.Z.K 22 - - - 220.127.116.11 Intel::ADDR SSH::SUCCESSFUL_LOGIN
> worker-3-4 dataplane.org  85.0 scanner
> conn.log entry
> 1476046725.508913 CXs7MT25xi6ykmT3o1 18.104.22.168 50367
> X.Y.Z.K 22 tcp ssh 10.623538 1383 1843 S1 F T 0
> SHADDA 15 2171 15 2631 (empty)
> ssh.log entry
> 1476046725.634328 CXs7MT25xi6ykmT3o1 22.214.171.124 50367
> X.Y.Z.K 22 2 T INBOUND SSH-2.0-libssh2_1.7.0
> SSH-2.0-1.82 sshlib: WinSSHD 4.27 aes256-cbc hmac-sha1
> none diffie-hellman-group1-sha1 ssh-dss
> b9:93:6a:61:8d:29:01:ec:aa:01:1f:0e:90:0a:7b:6e CZ 84 Prerov
> 49.453899 17.4524
> Also, what does the conn history would look like in case of failed ssh
> Thanks for the help.
The T in your ssh.log is "auth_success", so yes...bro views this as a
successful login. Also, that source IP is not so good...that IP is
listed in https://lists.blocklist.de/lists/ssh.txt.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro