[Bro] ssh successful logins appear as failed
Siwek, Jonathan Luke
jsiwek at illinois.edu
Mon Jul 1 13:53:57 PDT 2013
On Jul 1, 2013, at 2:17 PM, John Babio <jbabio at po-box.esu.edu> wrote:
> I was testing out the script from the manual. I was trying to figure out why the notice logs were not triggering. It turns out bro is seeing successful logins as failures. This is really odd.
Typically, SSH user authentication protocol messages are already encrypted. A third-party snooping on the exchange can't be 100% positive of the results. See [1] for more on how Bro does it and for tuning options. If you're just manually testing things out with your own SSH sessions, make sure to actually do some stuff in your session so Bro will see enough data exchanged to guess a success instead of failure.
- Jon
[1] http://bro.org/sphinx/scripts/base/protocols/ssh/main.html
More information about the Bro
mailing list