[Bro] Question on quick start documentation SSH:Login example.
nithen
nithen at gmail.com
Wed Aug 6 13:33:54 PDT 2014
Thank you Jon and Justin. I really appreciate your help!
Jon, I could not get your script working - so I took a step back to
check my installation. I wanted to confirm that my default scripts
work.
I setup the following lab:
Kali Linux -> Bro SPAN -> Metasploitable
Using: FreeBSD + Bro 2.3 (compiled from source)
Test: trigger /usr/local/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
Verified: loaded_scripts.log (script is loaded), ssh.log (ssh login
attempts there).
So here is an extract of the ssh.log:
<snip>
1407355776.833081 CNjybf25kbwTIpD9D6 192.168.88.2 58904 192.168.88.101 22 undetermined INBOUND SSH-2.0-MEDUSA_1.0 - - -
1407355784.647680 CGYsSAwShJeTcT2t8 192.168.88.2 58905 192.168.88.101 22 undetermined INBOUND SSH-2.0-MEDUSA_1.0 - - -
</snip>
I checked the threshold in the Bro script:
<snip>
const password_guesses_limit: double = 30
</snip>
I hit the SSH server over 500 incorrect root logins - however no alerts noted.
Any ideas on where I should start investigating? Do you require more
information?
Thank you,
Nithen
More information about the Bro
mailing list