[Bro] Question about duplicate traffic with load balancing and SSH::Password_Guessing
Eric Hacecky
hacecky at jlab.org
Fri Apr 21 07:49:11 PDT 2017
I'm trying to correlate the notices generated by SSH::Password_Guessing with bro/firewall logs.
I currently have detect-bruteforcing variables at the default of 30 failed SSH attempts over a 30 minute period as the limit before a host is considered to be guessing passwords and a notice is generated.
Example:
//Bro Notice
Message: 1.1.1.1 appears to be guessing SSH passwords (seen in 62 connections).
Sub: Sampled servers: 2.2.2.2, 2.2.2.2, 2.2.2.2, 2.2.2.2, 2.2.2.2 (yes it lists the same SSH server 5 times)
Src: 1.1.1.1
Dst: -
UID: -
FUID: -
File Mime Type: -
File Desc: -
Proto: -
P: -
N: -
Peer Descr: worker-2-2
Actions: Notice::ACTION_EMAIL,Notice::ACTION_LOG
// Bro ssh.log for that timeframe
[root at bro]# cat ssh.21\:00\:00-22\:00\:00.log | /usr/local/bro/bin/bro-cut -d ts id.orig_h auth_success | grep 1.1.1.1
2017-04-18T21:36:58-0400 1.1.1.1 T <--- this line is repeated 31 times
2017-04-18T21:37:45-0400 1.1.1.1 T <--- this line is repeated 31 times
Notice that auth_success is True.
//Firewall logs
Just shows the two (successful) ssh connections at the corresponding times.
My load balancing setup:
lb_method=myricom
lb_procs=31
This is a single box with 32 cores.
----------------
This brings up two questions.
Why is SSH:Password_Guessing generating a notice when auth_success is True?
Is this expected behavior with my load balancing setup? That the same connection is fed to all 31 cores?
Thanks,
Eric
More information about the Bro
mailing list