[Bro] ssh successful logins appear as failed
Seth Hall
seth at icir.org
Mon Jul 1 17:46:56 PDT 2013
On Jul 1, 2013, at 7:41 PM, Jesse Bowling <jessebowling at gmail.com> wrote:
> The tricky part about this detection method is that you may run into erroneous results in that someone who connects on the first login attempt and then simply exits may exchange less application data than the limit that is defined. So while they were in fact successful in logging in, Bro falsely assumes that the session failed because so little data is transferred...
Exactly right.
Thanks!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list