[Bro] Understanding Connection history for ssh.

James Lay jlay at slave-tothe-box.net
Mon Oct 10 12:26:05 PDT 2016

On 2016-10-10 13:22, fatema bannatwala wrote:
> Hi James,
> Thank you for the answer.
> The problem is that, when contacted the concerned party,
> they say that they don't see any login attempts from that IP and
> asking whether we were sure that the ssh login were successful.
> Looking at what we have recorded using Bro, I just wanted to know how
> one could
> tell whether the ssh login resulted a success/ failure just by looking
> at the bro conn.log, and ssh.log.
> Hence, wanted to know the heuristics behind setting that
> 'auth_success' field to T or F.
> Thanks,
> Fatema.

Understood...looking at the reputation of that IP I would stick with the 
theory that there was success.  Also I would look into correlating the 
bro logs with ssh logs.


More information about the Bro mailing list