[Bro] Successful and failed login details
Seth Hall
seth at corelight.com
Sun Jul 23 13:02:30 PDT 2017
On Sat, Jul 22, 2017 at 9:08 AM Vikram Basu <vikrambasu059 at gmail.com> wrote:
> Is it possible to get successful and failed login details for HTTP/FTP/SSH
> connections using Bro IDS ? Also can it identify which user is trying to do
> the connections, in addition to the IP address of the machine ?
>
It is possible, but at the moment you will need to do it in a
less-than-pleasant way. You would do it by finding the events for each of
the relevant protocols where the data is available. I've been hoping to
find some time to get a version of the long discussed "authentication
framework" into 2.6. Once that's available you would be able to access
authentication information directly through there as an abstraction.
.Seth
--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170723/b8f2aff5/attachment.html
More information about the Bro
mailing list