[Bro] Bro doesn't detect SSH version in local network

Anton Egorov egoant495 at gmail.com
Wed Jun 21 05:45:32 PDT 2017


Bro somehow doesn't detect the SSH client version when listening on a local
network interface. The machine with installed Bro has two network
interfaces. One is in the company common network and the other is in the
small test network. Small network has address in a space.
Other machines in the small network has the two interfaces for intranet and
test network as well.

When ssh connection is established from test machine and Bro is listening
on eth0 interface the ssh client version gets detected. But if ssh
connection targets the eth1 interface which Bro is listening nothing gets

Here are the interfaces on machine with installed bro:

# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:99:76:5f
          inet addr:  Bcast: Mask:
          RX packets:346628470 errors:0 dropped:1417 overruns:0 frame:0
          TX packets:327889 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:104910129783 (97.7 GiB)  TX bytes:77220087 (73.6 MiB)

eth1      Link encap:Ethernet  HWaddr 00:50:56:99:74:81
          inet addr:  Bcast: Mask:
          RX packets:1648090595 errors:0 dropped:20 overruns:0 frame:0
          TX packets:645 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:98885922776 (92.0 GiB)  TX bytes:93928 (91.7 KiB)

Bro is started like that

# bro -i eth0 os-app-detect.bro local

or for a local interface

# bro -i eth1 os-app-detect.bro local

The output that shows in the first case is:

OpenSSH OpenSSH_6.0p1 Debian-4+deb7u3

The connections from a test machine runs like that
On eth0 interface (Bro detects it)

# ssh root at

On eht1 interface (Bro doesn't detect it)

# ssh root at

The .bro script for printing SSH client version:
# cat os-app-detect.bro

global os_detect: event(host: addr, os_name: string);
global app_detect: event(host: addr, app_name: string);

event OS_version_found(c: connection, host_addr: addr, OS: OS_version)
        local rec_value = OS$genre + " " + OS$detail;
        print rec_value;
        event os_detect(host_addr, rec_value);

event Software::log_software(rec: Software::Info)
        local app_name_ver = rec$name + " " + rec$unparsed_version;
        print app_name_ver;
        event app_detect(rec$host, app_name_ver);

Info about system

# uname -a
Linux evm190 4.2.0-23-generic

# /usr/local/bro/bin/bro -v
/usr/local/bro/bin/bro version 2.4.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170621/3ff8b2e3/attachment-0001.html 

More information about the Bro mailing list