[Bro] Understanding Connection history for ssh.
mus3 at lehigh.edu
Mon Oct 10 12:42:51 PDT 2016
On 10/10/2016 02:11 PM, James Lay wrote:
> On 2016-10-10 11:37, fatema bannatwala wrote:
>> Hi Bro team,
>> I am trying to understand the 'history' field in conn.log for failed
>> and successful ssh logins.
>> Can we tell by looking into it whether the ssh connection was
>> successful or not?
>> For ex: We had a case today where bro-intel flagged an IP to be bad
>> with 85% confidence rate, and when we saw the conn.log corresponding
>> to that uid, we saw that, that IP was trying to ssh into a machine.
>> Now the question is, can we tell by looking at the history - ShAdDa
>> that the ssh was successful?
>> intel.log entry
>> 1476046696.592070 CXs7MT25xi6ykmT3o1 184.108.40.206 50367
>> X.Y.Z.K 22 - - - 220.127.116.11 Intel::ADDR SSH::SUCCESSFUL_LOGIN
>> worker-3-4 dataplane.org  85.0 scanner
>> conn.log entry
>> 1476046725.508913 CXs7MT25xi6ykmT3o1 18.104.22.168 50367
>> X.Y.Z.K 22 tcp ssh 10.623538 1383 1843 S1 F T 0
>> SHADDA 15 2171 15 2631 (empty)
>> ssh.log entry
>> 1476046725.634328 CXs7MT25xi6ykmT3o1 22.214.171.124 50367
>> X.Y.Z.K 22 2 T INBOUND SSH-2.0-libssh2_1.7.0
>> SSH-2.0-1.82 sshlib: WinSSHD 4.27 aes256-cbc hmac-sha1
>> none diffie-hellman-group1-sha1 ssh-dss
>> b9:93:6a:61:8d:29:01:ec:aa:01:1f:0e:90:0a:7b:6e CZ 84 Prerov
>> 49.453899 17.4524
>> Also, what does the conn history would look like in case of failed ssh
>> Thanks for the help.
> The T in your ssh.log is "auth_success", so yes...bro views this as a successful login. Also, that
> source IP is not so good...that IP is listed in https://lists.blocklist.de/lists/ssh.txt.
Be careful taking that column as fact. It seems like the success of an SSH connection is purely
based on the size of the response. A large SSH banner can cause a false positive.
> Bro mailing list
> bro at bro-ids.org
LTS - Senior Network Engineer
More information about the Bro