[Bro] Understanding Connection history for ssh.

Azoff, Justin S jazoff at illinois.edu
Mon Oct 10 12:37:46 PDT 2016


> On Oct 10, 2016, at 3:22 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> 
> The problem is that, when contacted the concerned party,
> they say that they don't see any login attempts from that IP and
> asking whether we were sure that the ssh login were successful.

If they are not seeing *any* attempts then something is screwed up with the logging on their end.

It's possible that the value of auth_success is wrong[1], but it's not possible that no attempt happened.  There was a tcp 3 way handshake, there was a ssh protocol negotiation, they should have something in their logs.


[1] Or misleading, often from the SSH point of view it was a login, but sometimes the remote system drops you into another password prompt instead of a shell. Appliances do this a lot.

-- 
- Justin Azoff




More information about the Bro mailing list