[Bro] Question on quick start documentation SSH:Login example.
James Lay
jlay at slave-tothe-box.net
Wed Aug 6 13:45:50 PDT 2014
On 2014-08-06 14:33, nithen wrote:
> Thank you Jon and Justin. I really appreciate your help!
>
> Jon, I could not get your script working - so I took a step back to
> check my installation. I wanted to confirm that my default scripts
> work.
>
> I setup the following lab:
>
> Kali Linux -> Bro SPAN -> Metasploitable
>
> Using: FreeBSD + Bro 2.3 (compiled from source)
>
> Test: trigger
> /usr/local/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
>
> Verified: loaded_scripts.log (script is loaded), ssh.log (ssh login
> attempts there).
>
> So here is an extract of the ssh.log:
> <snip>
>
> 1407355776.833081 CNjybf25kbwTIpD9D6 192.168.88.2 58904 192.168.88.101 22 undetermined INBOUND SSH-2.0-MEDUSA_1.0 - - -
>
> 1407355784.647680 CGYsSAwShJeTcT2t8 192.168.88.2 58905 192.168.88.101 22 undetermined INBOUND SSH-2.0-MEDUSA_1.0 - - -
> </snip>
>
> I checked the threshold in the Bro script:
> <snip>
> const password_guesses_limit: double = 30
> </snip>
>
> I hit the SSH server over 500 incorrect root logins - however no
> alerts noted.
>
> Any ideas on where I should start investigating? Do you require more
> information?
>
> Thank you,
> Nithen
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
From the script:
# Generate the notice.
NOTICE([$note=Password_Guessing,
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d
connections).", key$host, r$num),
$sub=sub_msg,
$src=key$host,
$identifier=cat(key$host)]);
}]);
Would that be in the ssh.log or the notice.log?
James
More information about the Bro
mailing list