[Bro] Hui Lin_SSH Analyzer
Hui Lin (Hugo)
hlin33 at illinois.edu
Mon Jun 18 09:25:03 PDT 2012
On Mon, Jun 18, 2012 at 10:29 AM, Seth Hall <seth at icir.org> wrote:
>
> On Jun 18, 2012, at 10:35 AM, Hui Lin (Hugo) wrote:
>
> > When I test these two events with the default implementation, I find
> that the log file always record a failed ssh log in to the system even if I
> log in correctly by user/authentication. I want to check when these two
> events are called, but I could not find ssh analyzer binpac code.
>
> Those are script-land events. Currently all events generated by core code
> (typically the analyzers) are defined in events.bif. You can see in the SSH
> scripts where those events are generated.
>
It seems that these two events are included in event.bif.bro any more.
>
> The reason you're seeing a false positive is because the SSH successful
> login code uses a heuristic to guess if the login was successful or not and
> sometimes it's wrong
> > so I am wondering, how can I correctly record the ssh log in with
> user/password authentication and with the user name logged in plain text.
>
> That information is encrypted in SSH.
>
I see.
I accidentally find that there is also syslog policy in Bro. I know that
SSH login to the host machine will be logged in auth.log. I am wondering
whether Bro can log the SSH login through the syslog policy. At least, I am
not successful in my test.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120618/9ce00334/attachment.html
More information about the Bro
mailing list