[Bro] Understanding Connection history for ssh.

James Lay jlay at slave-tothe-box.net
Mon Oct 10 11:11:49 PDT 2016


On 2016-10-10 11:37, fatema bannatwala wrote: 

> Hi Bro team,
> 
> I am trying to understand the 'history' field in conn.log for failed
> and successful ssh logins.
> Can we tell by looking into it whether the ssh connection was
> successful or not?
> 
> For ex: We had a case today where bro-intel flagged an IP to be bad
> with 85% confidence rate, and when we saw the conn.log corresponding
> to that uid, we saw that, that IP was trying to ssh into a machine.
> Now the question is, can we tell by looking at the history - ShAdDa
> that the ssh was successful? 
> 
> intel.log entry
> 1476046696.592070   CXs7MT25xi6ykmT3o1   77.242.90.96   50367  
> X.Y.Z.K   22 - - - 77.242.90.96   Intel::ADDR   SSH::SUCCESSFUL_LOGIN 
> worker-3-4   dataplane.org [1] 85.0 scanner
> 
> conn.log entry
> 1476046725.508913   CXs7MT25xi6ykmT3o1   77.242.90.96   50367   
> X.Y.Z.K   22   tcp ssh 10.623538   1383   1843   S1   F   T   0  
> SHADDA   15 2171 15 2631 (empty)
> 
> ssh.log entry
> 
> 1476046725.634328       CXs7MT25xi6ykmT3o1      77.242.90.96    50367 
> X.Y.Z.K    22      2       T       INBOUND SSH-2.0-libssh2_1.7.0  
> SSH-2.0-1.82 sshlib: WinSSHD 4.27     aes256-cbc      hmac-sha1      
> none    diffie-hellman-group1-sha1      ssh-dss
> b9:93:6a:61:8d:29:01:ec:aa:01:1f:0e:90:0a:7b:6e CZ      84      Prerov
> 49.453899       17.4524
> 
> Also, what does the conn history would look like in case of failed ssh
> login?
> 
> Thanks for the help.
> 
> Thanks,
> Fatema.

Fatema, 
The T in your ssh.log is "auth_success", so yes...bro views this as a
successful login.  Also, that source IP is not so good...that IP is
listed in https://lists.blocklist.de/lists/ssh.txt. 

James 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161010/b3147a79/attachment.html 


More information about the Bro mailing list