[Bro] Bro install on new machine - SSH logging broken
James Lay
jlay at slave-tothe-box.net
Thu Oct 31 11:25:37 PDT 2013
On 2013-10-31 11:58, Nicholas Siow wrote:
> Hello all,
>
> We recently did a fresh install of Bro 2.1 on a new machine as per
> the
> quick start guide. This machine has been watching traffic for about a
> week now and all of the logs seem to be fine except for the SSH logs,
> which have the following problems.
>
> 1) These logs are not adding geo-location information. The MaxMind
> databases were installed and put in the proper location, and a quick
> bro script that called the lookup_location() function seems to be
> working fine in retrieving this information. However, none of this
> information is logged, even for heuristically successful connections.
>
> 2) About half of the entries in the SSH log have a status of
> "undetermined". This is not something we saw before on our older
> machine, where every entry was listed as either a success or failure
> in the status column.
>
> 3) The "resp_size" field of EVERY entry is 0. Once again, this is not
> something that we have seen before.
>
> I should also mention that we have an older machine watching the
> exactly same network as this one (though with a smaller network card)
> and that one seems to be picking up on SSH traffic fine. Any idea
> whats going on here?
>
> Thank you,
> N. Siow
Run without checksums and see if you notice a difference:
broctl.cfg
<snip>
broargs = --no-checksums
James
More information about the Bro
mailing list