[Bro] Bro doesn't detect SSH version in local network

Anton Egorov egoant495 at gmail.com
Wed Jun 21 05:45:32 PDT 2017


Hi,

Bro somehow doesn't detect the SSH client version when listening on a local
network interface. The machine with installed Bro has two network
interfaces. One is in the company common network and the other is in the
small test network. Small network has address in a 192.168.0.0/16 space.
Other machines in the small network has the two interfaces for intranet and
test network as well.

When ssh connection is established from test machine and Bro is listening
on eth0 interface the ssh client version gets detected. But if ssh
connection targets the eth1 interface which Bro is listening nothing gets
detected.

Here are the interfaces on machine with installed bro:

# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:99:76:5f
          inet addr:10.31.10.190  Bcast:10.31.10.255 Mask:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:346628470 errors:0 dropped:1417 overruns:0 frame:0
          TX packets:327889 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:104910129783 (97.7 GiB)  TX bytes:77220087 (73.6 MiB)

eth1      Link encap:Ethernet  HWaddr 00:50:56:99:74:81
          inet addr:192.168.99.90  Bcast:192.168.99.255 Mask:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1648090595 errors:0 dropped:20 overruns:0 frame:0
          TX packets:645 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:98885922776 (92.0 GiB)  TX bytes:93928 (91.7 KiB)

Bro is started like that

# bro -i eth0 os-app-detect.bro local

or for a local interface

# bro -i eth1 os-app-detect.bro local

The output that shows in the first case is:

OpenSSH OpenSSH_6.0p1 Debian-4+deb7u3

The connections from a test machine runs like that
On eth0 interface (Bro detects it)

# ssh root at 10.31.10.190

On eht1 interface (Bro doesn't detect it)

# ssh root at 192.168.99.90

The .bro script for printing SSH client version:
-----
# cat os-app-detect.bro

global os_detect: event(host: addr, os_name: string);
global app_detect: event(host: addr, app_name: string);

event OS_version_found(c: connection, host_addr: addr, OS: OS_version)
        {
        local rec_value = OS$genre + " " + OS$detail;
        print rec_value;
        event os_detect(host_addr, rec_value);
        }

event Software::log_software(rec: Software::Info)
        {
        local app_name_ver = rec$name + " " + rec$unparsed_version;
        print app_name_ver;
        event app_detect(rec$host, app_name_ver);
        }
-----

Info about system

# uname -a
Linux evm190 4.2.0-23-generic

# /usr/local/bro/bin/bro -v
/usr/local/bro/bin/bro version 2.4.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170621/3ff8b2e3/attachment-0001.html 


More information about the Bro mailing list