[Bro] [bro] ssh connetions.
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Thu Mar 17 11:14:18 PDT 2016
Nice, thanks for the explanation. I sometimes see this when working cases in ELSA as I always look for BRO_SSH entries. It’s the second case that I believe I'm seeing and I think Seth explained it to me a couple months back as well. Suricata picks them up, so it hasn't been a high priority for me to delve into the Bro analyzers. That and I haven't done any real C++ programming in a very long time though I wish I could.
-----Original Message-----
From: Azoff, Justin S [mailto:jazoff at illinois.edu]
Sent: Thursday, March 17, 2016 2:03 PM
To: Kellogg, Brian D (OLN)
Cc: Grigorescu, Vlad; Tim Desrochers; bro at bro.org
Subject: Re: [Bro] [bro] ssh connetions.
> On Mar 17, 2016, at 1:55 PM, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com> wrote:
>
> Similarly I’ve seen SSH sessions not identified when SSH is multiplexed with other protocols on the same port; e.g. SSH and HTTP on port 80. Wish I had more time to help with detecting cases like this.
>
> https://github.com/stealth/sshttp
I've been working on that as part of https://bro-tracker.atlassian.net/browse/BIT-1521
There's a bug in the current known services policy that causes multiple protocols on the same port to not be logged to known_services.log, but they should still show up in conn.log as the proper service.
There is a slightly different but related issue in that if you send an http request to an ssh server or an ssh client banner to an http server, bro won't attach both analyzers to the connection. So, you'll get either an http log or an ssh log, but not both.
--
- Justin Azoff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5073 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160317/e37660ba/attachment-0001.bin
More information about the Bro
mailing list