[Bro] Understanding Connection history for ssh.

fatema bannatwala fatema.bannatwala at gmail.com
Thu Oct 27 12:35:30 PDT 2016


So, finally some closing remarks:
When asked to look deeper, the client finally did see the ssh attempts on
the server,
the issue was with the time zone. It seemed the clock on the client machine
was 4hrs ahead of EST,
that's why the attempts were getting logged with different time stamps than
the ones logged in our logs.
When they searched a range of time periods they found those.
Unfortunately (or fortunately) they all were failed login attempts and Bro
alert for successful ssh was a false positive from our side.

We had a case in past where Bro had reported a successful ssh in intel.log
for a linux machine and when verified with the client it was a true
positive,
but for this case it came out to be a false positive, hence was just
thinking that may be bro might have a high false positive rate for WinSSHD
or ssh for Windows for say, might be wrong.

Thanks,
Fatema.

On Mon, Oct 10, 2016 at 3:58 PM, fatema bannatwala <
fatema.bannatwala at gmail.com> wrote:

> Thanks Justin!
> That makes sense, was just curious to know how bro evaluates the
> auth_success field :)
> A quick question, as the connection was seen to last almost 10 secs and
> was thinking that
> the failed login connections are not that long, hence wanted to ask could
> it be possible that
> the user might have got multiple password prompts over the same connection
> and Bro logged that single
> connection of 10secs?
> would it also explain why no 'R' or 'F' flag was seen in the end of conn
> history (*ShAdDa)?*
>
> Thanks,
> Fatema.
>
>
>
> On Mon, Oct 10, 2016 at 3:37 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>>
>> > On Oct 10, 2016, at 3:22 PM, fatema bannatwala <
>> fatema.bannatwala at gmail.com> wrote:
>> >
>> > The problem is that, when contacted the concerned party,
>> > they say that they don't see any login attempts from that IP and
>> > asking whether we were sure that the ssh login were successful.
>>
>> If they are not seeing *any* attempts then something is screwed up with
>> the logging on their end.
>>
>> It's possible that the value of auth_success is wrong[1], but it's not
>> possible that no attempt happened.  There was a tcp 3 way handshake, there
>> was a ssh protocol negotiation, they should have something in their logs.
>>
>>
>> [1] Or misleading, often from the SSH point of view it was a login, but
>> sometimes the remote system drops you into another password prompt instead
>> of a shell. Appliances do this a lot.
>>
>> --
>> - Justin Azoff
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161027/7e0b4141/attachment.html 


More information about the Bro mailing list