[Bro] SSH heuristic

Oehlert, Samuel soehlert at illinois.edu
Fri Sep 13 09:42:46 PDT 2013 

For the first part, that "5725" is the number of response bytes. The
threshold for what is considered successful is: const
authentication_data_size, which can be found in:
/bro/share/bro/base/protocols/ssh and I believe it's default value was
either 5000 or 5500 on 2.0. Though if you want to redef this you'll want
to do it elsewhere such as your local.bro. Seth spent lots of time
figuring out the best threshold, but it is still only a guess based on
bytes, so there will be false positives. We find that many of them just
around 5000 bytes were false positives.

I don't know about your second part off the top of my head.

-Sam



On 9/13/13 10:28 AM, Benson Mathews wrote:
> I had a question about the SSH analyzer and how it determines a
> successful connection. I have a bro notification for a successful SSH
> login to a system on my network for a connection originating from
> outside US. Log entry:
> conn.log    2013-09-01 10:04:31     KIDipWlFWSi     y.y.y.y  40014  
> x.x.x.x  22      tcp     ssh     147.140508      1160    2377   
> S3      F       0       ShAadDf 21      2664    48      8221
> ssh.log    2013-09-01 10:04:33     KIDipWlFWSi     y.y.y.y  40014  
> x.x.x.x  22      success INBOUND SSH-2.0-libssh-0.2     
> SSH-2.0-OpenSSH_5.9     5725    CN      -       -       -       -
>
> The log entry is dated on the 1st and my client side logs have rolled
> over, so I can't valid this with syslog on the client.
>
> I wanted to check if there's a chance this could be a false positive.
> Also, the switch providing the feed itself is dropping packets and I
> see alerts for CaptureLoss::Too_Much_Loss and
> PacketFilter::Dropped_Packets.
>
> Would this loss cause Bro to misinterpret a brute forcing/scan attempt
> to a successful login?
>
> I'm running Bro 2.0.
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


-- 
Sam Oehlert
Security Engineer
NCSA
soehlert at illinois.edu
(217)300-1076

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130913/1e93db0f/attachment.html

More information about the Bro mailing list