[Bro] SSH Geodata Lookup Failures in 2.5
Jason Holmes
jholmes at psu.edu
Mon Dec 12 13:28:03 PST 2016
Hi,
Since upgrading to Bro 2.5, we've seen some odd behavior with the
geodata lookups in the SSH logs. In particular, the remote_location.*
fields in the SSH logs are always missing the geodata when auth_success
is true. For example, here are stats for a day running 2.4-709 and a
day running 2.5:
Bro version, auth_success, country_code logged, country_code not logged
-----------------------------------------------------------------------
2.4-709, T, 22169, 26
2.4-709, F, 167400, 10
2.5, T, 0, 23120
2.5, F, 247183, 16
Can anyone confirm that they are also seeing this behavior? I.e., that
with 2.5 there is no geodata for successful SSH connections?
To confound matters, I looked in the policy/protocols/ssh/geo-data.bro
files and I see that when auth_success is true, it's not only supposed
to try to log the geodata information, it's also supposed to print a
entry in the notice log if the country code that is looked up matches a
country code code in the watch list. Here's an example where a notice
was logged but the SSH log still doesn't have geodata in it. Based on
the code in geo-data.bro, the country code would have had to have been
looked up for the notice to be printed, so this seems to indicate that
the lookup is successful but it's just not making it to the ssh log.
ssh.log
-------
1481518954.665457 CknPAX2R85O0gumn 159.226.238.72 50972 128.XXX.XXX.XXX
22 2 T 1 INBOUND SSH-2.0-PuTTY_Snapshot_2016_11_20.09b7497
SSH-2.0-OpenSSH_5.3 aes128-ctr hmac-md5 none
diffie-hellman-group-exchange-sha256 ssh-rsa
b6:65:5c:8d:8b:8d:dc:bb:05:58:0d:9e:25:1e:da:37 - - - - -
notice.log
----------
1481519053.725294 CknPAX2R85O0gumn 159.226.238.72 50972 128.XXX.XXX.XXX
22 - - - tcp SSH::Watched_Country_Login SSH login from watched country:
CN - 159.226.238.72 128.XXX.XXX.XXX 22 - worker-3-11 Notice::ACTION_LOG
3600.000000 F - - - - -
Thanks,
--
Jason Holmes
More information about the Bro
mailing list