[Bro] Understanding Connection history for ssh.
James Lay
jlay at slave-tothe-box.net
Mon Oct 10 12:26:05 PDT 2016
On 2016-10-10 13:22, fatema bannatwala wrote:
> Hi James,
>
> Thank you for the answer.
> The problem is that, when contacted the concerned party,
> they say that they don't see any login attempts from that IP and
> asking whether we were sure that the ssh login were successful.
> Looking at what we have recorded using Bro, I just wanted to know how
> one could
> tell whether the ssh login resulted a success/ failure just by looking
> at the bro conn.log, and ssh.log.
> Hence, wanted to know the heuristics behind setting that
> 'auth_success' field to T or F.
>
> Thanks,
> Fatema.
Understood...looking at the reputation of that IP I would stick with the
theory that there was success. Also I would look into correlating the
bro logs with ssh logs.
James
More information about the Bro
mailing list