[Bro] Ignore_checksum causes weird.log to stop logging unusual login attempts

Aneela Safdar ansaf_130 at yahoo.com
Wed Aug 3 07:19:22 PDT 2016


Hi,
I am monitoring weird.log file to look for unusual login attempts on different services running like SMB. But when I added ignore_checksum=T in local.bro weird.log stopped recording those login attempts. I am also in parallel reading ssh login requests which only logged by ssh.log if checksum is ignored.
Is there a way I could log attempts on both SMB and SSH services? How can I make a separate file for SMB related requests just login attempts would be fine coz weird.log doesnot log usernames and other essential info related to attack.
ssh.log file content, only logged when checksum is ignored:
{"ts":"2016-08-03T13:37:44.054012Z","uid":"CftFQ54On2aEMWTxe2","id.orig_h":"192.168.227.102","id.orig_p":41146,"id.resp_h":"192.168.227.101","id.resp_p":22,"version":2,"client":"SSH-2.0-OpenSSH_5.0","server":"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6","cipher_alg":"arcfour256","mac_alg":"hmac-md5","compression_alg":"none","kex_alg":"diffie-hellman-group-exchange-sha1","host_key_alg":"ssh-rsa","host_key":"8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4"}
{"ts":"2016-08-03T13:37:46.403884Z","uid":"CiPQlY3yKBXpFNAZy7","id.orig_h":"192.168.227.102","id.orig_p":38431,"id.resp_h":"192.168.227.101","id.resp_p":22,"version":2,"client":"SSH-2.0-OpenSSH_5.0","server":"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6","cipher_alg":"arcfour256","mac_alg":"hmac-md5","compression_alg":"none","kex_alg":"diffie-hellman-group-exchange-sha1","host_key_alg":"ssh-rsa","host_key":"8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4"}
{"ts":"2016-08-03T13:37:53.591712Z","uid":"CrBgS9RnVLTqoJ0Ch","id.orig_h":"192.168.227.102","id.orig_p":42909,"id.resp_h":"192.168.227.101","id.resp_p":22,"version":2,"auth_success":true,"client":"SSH-2.0-OpenSSH_5.0","server":"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6","cipher_alg":"arcfour256","mac_alg":"hmac-md5","compression_alg":"none","kex_alg":"diffie-hellman-group-exchange-sha1","host_key_alg":"ssh-rsa","host_key":"8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4"}
{"ts":"2016-08-03T13:37:48.727616Z","uid":"Cl8KRP2oeWFBeEu1c8","id.orig_h":"192.168.227.102","id.orig_p":36868,"id.resp_h":"192.168.227.101","id.resp_p":22,"version":2,"client":"SSH-2.0-OpenSSH_5.0","server":"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6","cipher_alg":"arcfour256","mac_alg":"hmac-md5","compression_alg":"none","kex_alg":"diffie-hellman-group-exchange-sha1","host_key_alg":"ssh-rsa","host_key":"8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4"}
{"ts":"2016-08-03T13:37:51.030760Z","uid":"CihwTS2fBKkKOnLQmh","id.orig_h":"192.168.227.102","id.orig_p":34020,"id.resp_h":"192.168.227.101","id.resp_p":22,"version":2,"client":"SSH-2.0-OpenSSH_5.0","server":"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6","cipher_alg":"arcfour256","mac_alg":"hmac-md5","compression_alg":"none","kex_alg":"diffie-hellman-group-exchange-sha1","host_key_alg":"ssh-rsa","host_key":"8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4"}
{"ts":"2016-08-03T13:37:54.514701Z","uid":"Cy9JZh7rnAmkUopic","id.orig_h":"192.168.227.102","id.orig_p":46764,"id.resp_h":"192.168.227.101","id.resp_p":22,"version":2,"client":"SSH-2.0-OpenSSH_5.0","server":"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6","cipher_alg":"arcfour256","mac_alg":"hmac-md5","compression_alg":"none","kex_alg":"diffie-hellman-group-exchange-sha1","host_key_alg":"ssh-rsa","host_key":"8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4"}
{"ts":"2016-08-03T13:37:56.157141Z","uid":"CPlFiq1B98W54N2CHb","id.orig_h":"192.168.227.102","id.orig_p":39147,"id.resp_h":"192.168.227.101","id.resp_p":22,"version":2,"client":"SSH-2.0-OpenSSH_5.0","server":"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6","cipher_alg":"arcfour256","mac_alg":"hmac-md5","compression_alg":"none","kex_alg":"diffie-hellman-group-exchange-sha1","host_key_alg":"ssh-rsa","host_key":"8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4"}
{"ts":"2016-08-03T13:37:58.399253Z","uid":"CIUjNm1YN5VOCh2kMj","id.orig_h":"192.168.227.102","id.orig_p":33347,"id.resp_h":"192.168.227.101","id.resp_p":22,"version":2,"client":"SSH-2.0-OpenSSH_5.0","server":"SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6","cipher_alg":"arcfour256","mac_alg":"hmac-md5","compression_alg":"none","kex_alg":"diffie-hellman-group-exchange-sha1","host_key_alg":"ssh-rsa","host_key":"8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4"}

weird.log file content for SMB service login attempts, logged when checksum is not ignored
{"ts":"2016-08-03T12:58:27.310293Z","uid":"CX7tYC3dcJRhr7JHQf","id.orig_h":"192.168.227.102","id.orig_p":34040,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.379358Z","uid":"CX7tYC3dcJRhr7JHQf","id.orig_h":"192.168.227.102","id.orig_p":34040,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.383344Z","uid":"CU8OtK24mBy3xArCUf","id.orig_h":"192.168.227.102","id.orig_p":35751,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.434387Z","uid":"CU8OtK24mBy3xArCUf","id.orig_h":"192.168.227.102","id.orig_p":35751,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.437407Z","uid":"CJxYrM2ZDvbfXrOOMg","id.orig_h":"192.168.227.102","id.orig_p":37063,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.493461Z","uid":"CJxYrM2ZDvbfXrOOMg","id.orig_h":"192.168.227.102","id.orig_p":37063,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.496109Z","uid":"CmyLjl40RuIbPyIfGg","id.orig_h":"192.168.227.102","id.orig_p":37447,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.560012Z","uid":"CmyLjl40RuIbPyIfGg","id.orig_h":"192.168.227.102","id.orig_p":37447,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.567962Z","uid":"Cdkk3l4VSBL9hHfMyc","id.orig_h":"192.168.227.102","id.orig_p":38688,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.629859Z","uid":"Cdkk3l4VSBL9hHfMyc","id.orig_h":"192.168.227.102","id.orig_p":38688,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.633006Z","uid":"CWPSxs3IcmDxCuZlFc","id.orig_h":"192.168.227.102","id.orig_p":39016,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.696545Z","uid":"CWPSxs3IcmDxCuZlFc","id.orig_h":"192.168.227.102","id.orig_p":39016,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.712067Z","uid":"CVBsOs3XLLccpSJBZe","id.orig_h":"192.168.227.102","id.orig_p":42692,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.803202Z","uid":"CVBsOs3XLLccpSJBZe","id.orig_h":"192.168.227.102","id.orig_p":42692,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.805073Z","uid":"CJgitl2mjXr4YEnw3f","id.orig_h":"192.168.227.102","id.orig_p":42910,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.871340Z","uid":"CJgitl2mjXr4YEnw3f","id.orig_h":"192.168.227.102","id.orig_p":42910,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
{"ts":"2016-08-03T12:58:27.896425Z","uid":"CAFrrn2rYMKZtslpVl","id.orig_h":"192.168.227.102","id.orig_p":35664,"id.resp_h":"192.168.227.101","id.resp_p":445,"name":"data_before_established","notice":false,"peer":"bro"}


Thanks,
 Regards, 
Aneela Safdar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160803/65ce53dc/attachment-0001.html 


More information about the Bro mailing list