[Bro] Bro doesn't detect SSH version in local network

Anton Egorov egoant495 at gmail.com
Thu Jun 22 08:39:53 PDT 2017


Thank you very much. After setting proper local IP space it is working.

2017-06-22 16:44 GMT+03:00 Azoff, Justin S <jazoff at illinois.edu>:

>
> > On Jun 22, 2017, at 6:02 AM, Anton Egorov <egoant495 at gmail.com> wrote:
> >
> > Connection entries differs only in ` local_orig      local_resp` fields.
> What is the meaning of these connection parameters?
>
> Ah, so you have 2 separate problems here.
>
> Your first problem was that bro was only seeing half of the traffic.
> Note, this does not have anything to do with wether or not you ran an ls
> command.  The TCP 3 way handshake and the ssh negotiation would include
> traffic from both sides.
>
> Your latest conn log entry shows a proper record with packets from both
> directions of the connection, so whatever the issue you were having with
> that has been resolved.
>
> Your second problem is that you are using the Software::log_software
> event. By default this will only log software seen on local ip addresses.
> For a bro installation that is using broctl this is controlled by
> /usr/local/bro/etc/networks.cfg.  If you're normally using broctl just
> ensure that 192.168.99.0/24 and 10.31.10.0/24 (or whatever larger block
> you are using) is present in that file.  If you're not using broctl just
> use another script that includes
>
> redef Site::local_nets = {
>         10.0.0.0/8,     # Private IP space
>         192.168.0.0/16, # Private IP space
> };
>
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170622/1f28adb4/attachment.html 


More information about the Bro mailing list