[Bro] [bro] ssh connetions.
Tim Desrochers
tgdesrochers at gmail.com
Thu Mar 17 10:43:28 PDT 2016
What I am seeing is “-“ but on successful connects from internal host to internal host I am seeing “success”
I am in the process of examining pcap and auth logs on the server at this moment to determine success or failure
From: Vlad Grigorescu
Sent: Thursday, March 17, 2016 1:40 PM
To: Tim Desrochers; bro at bro.org
Subject: Re: [Bro] [bro] ssh connetions.
Yes. A good example of this is if SSH compression is enabled.
I would hope that auth_success is set to "-" and not set to the
incorrect T or F state, but it's possible that there's some
server/client combination out there that's throwing off the detection.
If you are seeing such cases, please send a PCAP and I can look at
improving the detection.
--Vlad
Tim Desrochers <tgdesrochers at gmail.com> writes:
> [ text/plain ]
> Is it possible for someone to establish an SSH session but the bro log not to show “auth_success” as true.
>
> Thanks
> Tim
>
>
>
> [ text/plain ]
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160317/3db1c23d/attachment.html
More information about the Bro
mailing list