[Bro] [bro] ssh connetions.
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Thu Mar 17 10:55:40 PDT 2016
Similarly I’ve seen SSH sessions not identified when SSH is multiplexed with other protocols on the same port; e.g. SSH and HTTP on port 80. Wish I had more time to help with detecting cases like this.
https://github.com/stealth/sshttp
-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Vlad Grigorescu
Sent: Thursday, March 17, 2016 1:40 PM
To: Tim Desrochers; bro at bro.org
Subject: Re: [Bro] [bro] ssh connetions.
Yes. A good example of this is if SSH compression is enabled.
I would hope that auth_success is set to "-" and not set to the incorrect T or F state, but it's possible that there's some server/client combination out there that's throwing off the detection.
If you are seeing such cases, please send a PCAP and I can look at improving the detection.
--Vlad
Tim Desrochers <tgdesrochers at gmail.com> writes:
> [ text/plain ]
> Is it possible for someone to establish an SSH session but the bro log not to show “auth_success” as true.
>
> Thanks
> Tim
>
>
>
> [ text/plain ]
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5073 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160317/16cb05b8/attachment.bin
More information about the Bro
mailing list