[Bro] Question about duplicate traffic with load balancing and SSH::Password_Guessing

Eric Hacecky hacecky at jlab.org
Fri Apr 21 07:49:11 PDT 2017

I'm trying to correlate the notices generated by SSH::Password_Guessing with bro/firewall logs.

I currently have detect-bruteforcing variables at the default of 30 failed SSH attempts over a 30 minute period as the limit before a host is considered to be guessing passwords and a notice is generated.


//Bro Notice
Message: appears to be guessing SSH passwords (seen in 62 connections). 
Sub:	 Sampled servers:,,,,    (yes it lists the same SSH server 5 times)
Dst:	 - 
UID:	 - 
FUID:	 - 
File Mime Type:	 -  
File Desc:	 - 
Proto:	 - 
P:	 - 
N:	 - 
Peer Descr:	 worker-2-2 
Actions:	 Notice::ACTION_EMAIL,Notice::ACTION_LOG  

// Bro ssh.log for that timeframe
[root at bro]# cat ssh.21\:00\:00-22\:00\:00.log | /usr/local/bro/bin/bro-cut -d ts id.orig_h auth_success | grep
2017-04-18T21:36:58-0400		T     <--- this line is repeated 31 times
2017-04-18T21:37:45-0400	        T     <--- this line is repeated 31 times

Notice that auth_success is True.

//Firewall logs
Just shows the two (successful) ssh connections at the corresponding times.

My load balancing setup:


This is a single box with 32 cores.


This brings up two questions.

Why is SSH:Password_Guessing generating a notice when auth_success is True?

Is this expected behavior with my load balancing setup?  That the same connection is fed to all 31 cores?


More information about the Bro mailing list