[Bro] Understanding Connection history for ssh.
fatema bannatwala
fatema.bannatwala at gmail.com
Mon Oct 10 12:58:32 PDT 2016
Thanks Justin!
That makes sense, was just curious to know how bro evaluates the
auth_success field :)
A quick question, as the connection was seen to last almost 10 secs and was
thinking that
the failed login connections are not that long, hence wanted to ask could
it be possible that
the user might have got multiple password prompts over the same connection
and Bro logged that single
connection of 10secs?
would it also explain why no 'R' or 'F' flag was seen in the end of conn
history (*ShAdDa)?*
Thanks,
Fatema.
On Mon, Oct 10, 2016 at 3:37 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Oct 10, 2016, at 3:22 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > The problem is that, when contacted the concerned party,
> > they say that they don't see any login attempts from that IP and
> > asking whether we were sure that the ssh login were successful.
>
> If they are not seeing *any* attempts then something is screwed up with
> the logging on their end.
>
> It's possible that the value of auth_success is wrong[1], but it's not
> possible that no attempt happened. There was a tcp 3 way handshake, there
> was a ssh protocol negotiation, they should have something in their logs.
>
>
> [1] Or misleading, often from the SSH point of view it was a login, but
> sometimes the remote system drops you into another password prompt instead
> of a shell. Appliances do this a lot.
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161010/d72d9cd0/attachment.html
More information about the Bro
mailing list