[Bro] SSH heuristic
Benson Mathews
benson.mathews at gmail.com
Fri Sep 13 08:28:53 PDT 2013
I had a question about the SSH analyzer and how it determines a successful
connection. I have a bro notification for a successful SSH login to a
system on my network for a connection originating from outside US. Log
entry:
conn.log 2013-09-01 10:04:31 KIDipWlFWSi y.y.y.y 40014
x.x.x.x 22 tcp ssh 147.140508 1160 2377 S3
F 0 ShAadDf 21 2664 48 8221
ssh.log 2013-09-01 10:04:33 KIDipWlFWSi y.y.y.y 40014
x.x.x.x 22 success INBOUND SSH-2.0-libssh-0.2
SSH-2.0-OpenSSH_5.9 5725 CN - - - -
The log entry is dated on the 1st and my client side logs have rolled over,
so I can't valid this with syslog on the client.
I wanted to check if there's a chance this could be a false positive. Also,
the switch providing the feed itself is dropping packets and I see alerts
for CaptureLoss::Too_Much_Loss and PacketFilter::Dropped_Packets.
Would this loss cause Bro to misinterpret a brute forcing/scan attempt to a
successful login?
I'm running Bro 2.0.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130913/c295a460/attachment.html
More information about the Bro
mailing list