[Bro] SSH Login Notices - Filter out internal to internal connections
Mike Kolkebeck
mkolkebeck at gmail.com
Fri Nov 16 20:11:03 PST 2012
SSH::Login Notices for internal to internal connections can get fairly
noisy.
What is the most efficient way to filter out these notices for internal to
internal without filtering for external connections?
I was thinking of ignoring the SSH::Login notices altogether, but then I
believe I need to add a new Notice Type and fire a new notice on event
SSH::heuristic_successful_login. See example code below.
Is there a more efficient way of doing this? I know editing the base ssh
bro script is a big no-no.
Thanks!
Mike
redef enum Notice::Type += {
Login_Success
};
# This is our list of internal addresses to exclude
global ssh_ignore: set[subnet] = {
192.168.1.0/24, # internal 1
10.0.0.0/8, # internal 2
};
# Ignore SSH::Login Notice Type
redef Notice::ignored_types += { SSH::Login };
# Add new Notice Type to successful login
event SSH::heuristic_successful_login(c: connection) &priority=0
{
if ( c$id$resp_h !in ssh_ignore ) {
NOTICE([$note=Login_Success,
$msg="Heuristically detected successful SSH login.",
$conn=c]);
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121116/104aceaa/attachment.html
More information about the Bro
mailing list