[Bro] Stupid scripting question: SSH password detection limited to local networks

[Mike Patterson]

On Jan 29, 2014, at 6:20 PM, Robin Sommer <robin at icir.org> wrote:
> On Tue, Jan 28, 2014 at 12:29 -0500, you wrote:
> 
>> error in /usr/local/bro-2.2/share/bro/policy/misc/loaded-scripts.bro, line 4: syntax error, at or near “module"
> 
> Actually I get this too, just tried it. That looks like a bug.

It worked for bernhard as I’d originally described it. Maybe we should steal his test machine. :-)

> Here's
> a work-around that works for me: when you run the "process" commnand,
> it prints out a long command line. Copy that, leave broctl, paste it
> into your shell and then move your test script from its position
> somewhere in the middle to the very end.
> 
> I don't know if this helps solving the original problem but it should
> tell you if broctl sets the local networks correctly.

Your workaround worked for me, and did print out what I thought local networks should be set to.

Justin had pointed out to me that I could use
bro $PREFIX/bro/spool/installed-scripts-do-not-touch/auto/local-networks.bro test.bro
which worked equally well.

He also suggested a slight change to my hook:
Site::is_local_addr(n$id$orig_h)
to
Site::is_local_addr(n$src)

and now I’m working on trying to trigger the flipping SSH password guessing logic so I can test, and not having a lot of luck. :) I have a remote host I can ssh scan with impunity, so I’ve fired hydra and a simple “connect to port 22 and disconnect” script at it with no joy. I should have picked an easier notice to start with, I guess. :)

Mike