[Bro] SSH heuristic

Alex Waher alexwis at gmail.com
Fri Sep 13 10:47:10 PDT 2013


Right, if the ssh connection's response bytes are above this threshold
it'll log the session as having a successful login. If you have a large
pre-auth login banner (usually for compliance reasons) it will very likely
report as a false positive.


On Fri, Sep 13, 2013 at 9:42 AM, Oehlert, Samuel <soehlert at illinois.edu>wrote:

>  For the first part, that "5725" is the number of response bytes. The
> threshold for what is considered successful is: const
> authentication_data_size, which can be found in:
> /bro/share/bro/base/protocols/ssh and I believe it's default value was
> either 5000 or 5500 on 2.0. Though if you want to redef this you'll want to
> do it elsewhere such as your local.bro. Seth spent lots of time figuring
> out the best threshold, but it is still only a guess based on bytes, so
> there will be false positives. We find that many of them just around 5000
> bytes were false positives.
>
> I don't know about your second part off the top of my head.
>
> -Sam
>
>
>
>
> On 9/13/13 10:28 AM, Benson Mathews wrote:
>
> I had a question about the SSH analyzer and how it determines a successful
> connection. I have a bro notification for a successful SSH login to a
> system on my network for a connection originating from outside US. Log
> entry:
> conn.log    2013-09-01 10:04:31     KIDipWlFWSi     y.y.y.y  40014
> x.x.x.x  22      tcp     ssh     147.140508      1160    2377    S3
> F       0       ShAadDf 21      2664    48      8221
> ssh.log    2013-09-01 10:04:33     KIDipWlFWSi     y.y.y.y  40014
> x.x.x.x  22      success INBOUND SSH-2.0-libssh-0.2
> SSH-2.0-OpenSSH_5.9     5725    CN      -       -       -       -
>
> The log entry is dated on the 1st and my client side logs have rolled
> over, so I can't valid this with syslog on the client.
>
> I wanted to check if there's a chance this could be a false positive.
> Also, the switch providing the feed itself is dropping packets and I see
> alerts for CaptureLoss::Too_Much_Loss and PacketFilter::Dropped_Packets.
>
> Would this loss cause Bro to misinterpret a brute forcing/scan attempt to
> a successful login?
>
> I'm running Bro 2.0.
>
>
> _______________________________________________
> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Sam Oehlert
> Security Engineer
> NCSAsoehlert at illinois.edu(217)300-1076
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130913/0f9773b3/attachment.html 


More information about the Bro mailing list