[Bro] Question about duplicate traffic with load balancing and SSH::Password_Guessing
hacecky at jlab.org
Fri Apr 21 07:49:11 PDT 2017
I'm trying to correlate the notices generated by SSH::Password_Guessing with bro/firewall logs.
I currently have detect-bruteforcing variables at the default of 30 failed SSH attempts over a 30 minute period as the limit before a host is considered to be guessing passwords and a notice is generated.
Message: 126.96.36.199 appears to be guessing SSH passwords (seen in 62 connections).
Sub: Sampled servers: 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124 (yes it lists the same SSH server 5 times)
File Mime Type: -
File Desc: -
Peer Descr: worker-2-2
// Bro ssh.log for that timeframe
[root at bro]# cat ssh.21\:00\:00-22\:00\:00.log | /usr/local/bro/bin/bro-cut -d ts id.orig_h auth_success | grep 126.96.36.199
2017-04-18T21:36:58-0400 188.8.131.52 T <--- this line is repeated 31 times
2017-04-18T21:37:45-0400 184.108.40.206 T <--- this line is repeated 31 times
Notice that auth_success is True.
Just shows the two (successful) ssh connections at the corresponding times.
My load balancing setup:
This is a single box with 32 cores.
This brings up two questions.
Why is SSH:Password_Guessing generating a notice when auth_success is True?
Is this expected behavior with my load balancing setup? That the same connection is fed to all 31 cores?
More information about the Bro