[Bro] SSH Geodata Lookup Failures in 2.5
Jason Holmes
jholmes at psu.edu
Wed Dec 14 07:57:03 PST 2016
On 12/14/16 9:35 AM, Seth Hall wrote:
>
>> On Dec 12, 2016, at 4:28 PM, Jason Holmes <jholmes at psu.edu> wrote:
>>
>> Bro version, auth_success, country_code logged, country_code not logged
>> -----------------------------------------------------------------------
>> 2.4-709, T, 22169, 26
>> 2.4-709, F, 167400, 10
>> 2.5, T, 0, 23120
>> 2.5, F, 247183, 16
>>
>> Can anyone confirm that they are also seeing this behavior? I.e., that
>> with 2.5 there is no geodata for successful SSH connections?
>
> I'm curious if you have Bro built against libGeoIP correctly? What you are seeing would indicate to me that it isn't. It's also possible that you don't have the geoip database installed.
Hi Seth,
Thanks for your response. GeoIP lookups are working for our HTTP logs
(code we added) and the SSH logs when auth_success==F. It's only not
working with SSH when auth_success==T, and in this case it apparently is
partially working since there are watched country entries in the notice
log for successful SSH connections, but the SSH log does not contain the
geodata for these successful connections it's altering on (see the two
log lines I had in my initial mail for evidence of this).
--
Jason Holmes
More information about the Bro
mailing list