[Bro] Understanding Connection history for ssh.
fatema bannatwala
fatema.bannatwala at gmail.com
Mon Oct 10 10:37:31 PDT 2016
Hi Bro team,
I am trying to understand the 'history' field in conn.log for failed and
successful ssh logins.
Can we tell by looking into it whether the ssh connection was successful or
not?
For ex: We had a case today where bro-intel flagged an IP to be bad with
85% confidence rate, and when we saw the conn.log corresponding to that
uid, we saw that, that IP was trying to ssh into a machine.
Now the question is, can we tell by looking at the history - ShAdDa that
the ssh was successful?
intel.log entry
1476046696.592070 CXs7MT25xi6ykmT3o1 *77.242.90.96 50367 x.y.z.k
22* - - - 77.242.90.96 Intel::ADDR *SSH::SUCCESSFUL_LOGIN* worker-3-4
dataplane.org 85.0 scanner
conn.log entry
1476046725.508913 CXs7MT25xi6ykmT3o1 *77.242.90.96 50367 ** x.y.z.k**
22* tcp ssh 10.623538 1383 1843 S1 F T 0 * ShAdDa* 15
2171 15 2631 (empty)
ssh.log entry
1476046725.634328 CXs7MT25xi6ykmT3o1 *77.242.90.96* 50367
*x.y.z.k* 22 2 T INBOUND SSH-2.0-libssh2_1.7.0
SSH-2.0-1.82 sshlib: WinSSHD 4.27 aes256-cbc hmac-sha1 none
diffie-hellman-group1-sha1 ssh-dss
b9:93:6a:61:8d:29:01:ec:aa:01:1f:0e:90:0a:7b:6e CZ 84 Prerov
49.453899 17.4524
Also, what does the conn history would look like in case of failed ssh
login?
Thanks for the help.
Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161010/4b934caf/attachment.html
More information about the Bro
mailing list