[Bro] Notice.log logs a Password_Guessing attempt but no logs in conn.log

fatema bannatwala fatema.bannatwala at gmail.com
Fri Jul 8 10:29:29 PDT 2016


Hi Johanna,

Thanks for looking into the issue, because currently we were blocking all
the IPs reported by BRO doing SSH:Password_Guessing (from notice.log).
And we have been doing that for almost 6 months now, but came across this
situation when a legit IP got blocked for doing a Password_guessing
according to BRO
and we were asked to produce the log files reporting that it was actually
doing guessing, but we couldn't because we didn't find any logs to prove
it..

I hope it gets fixed in the new version, because it's a really cool feature
to check to see all password guessing IPs and take necessary action against
them.

Thanks for working on it, appreciate it.

Thanks,
Fatema.

On Fri, Jul 8, 2016 at 12:18 PM, Johanna Amann <johanna at icir.org> wrote:

> Hello Fatema,
>
> you actually managed to stumble accross a bug here - apparently the event
> that we use to determine when password guessing occurs can be raised
> several times in the same connection (which probably is an error).
>
> I filed a ticket for this, if you want you can track the progress at
> https://bro-tracker.atlassian.net/browse/BIT-1641.
>
> Thank you,
>  Johanna
>
> On Fri, Jul 01, 2016 at 05:28:49PM -0400, fatema bannatwala wrote:
> > Hi,
> >
> > So I had a weird situation at work today.
> > The notice.log file logged an IP for "SSH::Password_Guessing" with note
> as
> > "50.123.48.2 appears to be guessing SSH passwords (seen in 53
> connections)".
> >
> > But when I check conn.log file during that time period and grep that IP,
> I
> > just see single ssh established connection from that IP. I was assuming
> to
> > get 53 bad ssh connections logged in conn.lo file.
> >
> > What am I missing here?
> > How can I confirm whether that IP was actually doing a SSH password
> > guessing attempt?
> >
> > Thanks,
> > Fatema.
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160708/179187ca/attachment.html 


More information about the Bro mailing list