[Bro] Interesting observation with ssh on non-ssh port
James Lay
jlay at slave-tothe-box.net
Wed Apr 2 11:14:02 PDT 2014
All,
I resolved to get monitoring of large amounts of outbound data (the
exfiltrate and largeTx type scripts) working today. My test setup is
two internal machines (192.168.1.). My hope was that I could just test
scp'ing a file from a machine running bro. I haven't got any scripts to
function, so I looked at the conn.log. Interestingly, the port I run
ssh on doesn't show up. I see my connected sessions fine in ssh.log,
but there's no trace of it in conn.log. This obviously explains why I
couldn't get the large outbound transfer scripts working, but now I'm
curious...is there a reason why this TCP session doesn't show up in
conn.log? Running bro 2.2...thank you.
James
More information about the Bro
mailing list