[Bro] Notice.log logs a Password_Guessing attempt but no logs in conn.log
Johanna Amann
johanna at icir.org
Fri Jul 8 09:18:22 PDT 2016
Hello Fatema,
you actually managed to stumble accross a bug here - apparently the event
that we use to determine when password guessing occurs can be raised
several times in the same connection (which probably is an error).
I filed a ticket for this, if you want you can track the progress at
https://bro-tracker.atlassian.net/browse/BIT-1641.
Thank you,
Johanna
On Fri, Jul 01, 2016 at 05:28:49PM -0400, fatema bannatwala wrote:
> Hi,
>
> So I had a weird situation at work today.
> The notice.log file logged an IP for "SSH::Password_Guessing" with note as
> "50.123.48.2 appears to be guessing SSH passwords (seen in 53 connections)".
>
> But when I check conn.log file during that time period and grep that IP, I
> just see single ssh established connection from that IP. I was assuming to
> get 53 bad ssh connections logged in conn.lo file.
>
> What am I missing here?
> How can I confirm whether that IP was actually doing a SSH password
> guessing attempt?
>
> Thanks,
> Fatema.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list