[Bro] Successful and failed login details

Seth Hall seth at corelight.com
Sun Jul 23 13:02:30 PDT 2017

On Sat, Jul 22, 2017 at 9:08 AM Vikram Basu <vikrambasu059 at gmail.com> wrote:

> Is it possible to get successful and failed login details for HTTP/FTP/SSH
> connections using Bro IDS ? Also can it identify which user is trying to do
> the connections, in addition to the IP address of the machine ?

It is possible, but at the moment you will need to do it in a
less-than-pleasant way.  You would do it by finding the events for each of
the relevant protocols where the data is available.  I've been hoping to
find some time to get a version of the long discussed "authentication
framework" into 2.6.  Once that's available you would be able to access
authentication information directly through there as an abstraction.


Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170723/b8f2aff5/attachment.html 

More information about the Bro mailing list