[Bro] Understanding Connection history for ssh.

Munroe Sollog mus3 at lehigh.edu
Mon Oct 10 12:42:51 PDT 2016 


On 10/10/2016 02:11 PM, James Lay wrote:
> On 2016-10-10 11:37, fatema bannatwala wrote:
>> Hi Bro team,
>>
>> I am trying to understand the 'history' field in conn.log for failed
>> and successful ssh logins.
>> Can we tell by looking into it whether the ssh connection was
>> successful or not?
>>
>> For ex: We had a case today where bro-intel flagged an IP to be bad
>> with 85% confidence rate, and when we saw the conn.log corresponding
>> to that uid, we saw that, that IP was trying to ssh into a machine.
>> Now the question is, can we tell by looking at the history - ShAdDa
>> that the ssh was successful?
>>
>> intel.log entry
>> 1476046696.592070   CXs7MT25xi6ykmT3o1   77.242.90.96   50367  
>> X.Y.Z.K   22 - - - 77.242.90.96   Intel::ADDR   SSH::SUCCESSFUL_LOGIN
>>  worker-3-4   dataplane.org [1] 85.0 scanner
>>
>> conn.log entry
>> 1476046725.508913   CXs7MT25xi6ykmT3o1   77.242.90.96   50367   
>> X.Y.Z.K   22   tcp ssh 10.623538   1383   1843   S1   F   T   0  
>> SHADDA   15 2171 15 2631 (empty)
>>
>> ssh.log entry
>>
>> 1476046725.634328       CXs7MT25xi6ykmT3o1      77.242.90.96    50367
>>  X.Y.Z.K    22      2       T       INBOUND SSH-2.0-libssh2_1.7.0  
>> SSH-2.0-1.82 sshlib: WinSSHD 4.27     aes256-cbc      hmac-sha1      
>> none    diffie-hellman-group1-sha1      ssh-dss
>> b9:93:6a:61:8d:29:01:ec:aa:01:1f:0e:90:0a:7b:6e CZ      84      Prerov
>>                                  49.453899       17.4524
>>
>> Also, what does the conn history would look like in case of failed ssh
>> login?
>>
>> Thanks for the help.
>>
>> Thanks,
>> Fatema.
> 
> Fatema,
> The T in your ssh.log is "auth_success", so yes...bro views this as a successful login.  Also, that
> source IP is not so good...that IP is listed in https://lists.blocklist.de/lists/ssh.txt.
>  
> James

Be careful taking that column as fact.  It seems like the success of an SSH connection is purely
based on the size of the response.  A large SSH banner can cause a false positive.


> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 

-- 
Munroe Sollog
LTS - Senior Network Engineer
x85002

More information about the Bro mailing list