[Bro] Bro doesn't detect SSH version in local network

Anton Egorov egoant495 at gmail.com
Thu Jun 22 08:39:53 PDT 2017

Thank you very much. After setting proper local IP space it is working.

2017-06-22 16:44 GMT+03:00 Azoff, Justin S <jazoff at illinois.edu>:

> > On Jun 22, 2017, at 6:02 AM, Anton Egorov <egoant495 at gmail.com> wrote:
> >
> > Connection entries differs only in ` local_orig      local_resp` fields.
> What is the meaning of these connection parameters?
> Ah, so you have 2 separate problems here.
> Your first problem was that bro was only seeing half of the traffic.
> Note, this does not have anything to do with wether or not you ran an ls
> command.  The TCP 3 way handshake and the ssh negotiation would include
> traffic from both sides.
> Your latest conn log entry shows a proper record with packets from both
> directions of the connection, so whatever the issue you were having with
> that has been resolved.
> Your second problem is that you are using the Software::log_software
> event. By default this will only log software seen on local ip addresses.
> For a bro installation that is using broctl this is controlled by
> /usr/local/bro/etc/networks.cfg.  If you're normally using broctl just
> ensure that and (or whatever larger block
> you are using) is present in that file.  If you're not using broctl just
> use another script that includes
> redef Site::local_nets = {
>,     # Private IP space
>, # Private IP space
> };
> --
> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170622/1f28adb4/attachment.html 

More information about the Bro mailing list