[Bro] Bro doesn't detect SSH version in local network
Anton Egorov
egoant495 at gmail.com
Wed Jun 21 07:37:12 PDT 2017
The offloading is disabled on both NIC's and the -C option also doesn't do
the trick.
While reading pcap of a saved ssh traffic bro outputs a warning:
# /usr/local/bro/bin/bro -C -r /root/eth1-ssh.cap
/usr/local/bro/share/bro/pluton/os-app-detect.bro local
UNKNOWN
1497975118.771257 warning: Stream SOrfileNrXm8iGmlR6 is already queued for
removal. Ignoring remove.
while on a pcap from the other interface:
# /usr/local/bro/bin/bro -C -r /root/eth0-ssh.cap
/usr/local/bro/share/bro/pluton/os-app-detect.bro local
UNKNOWN
OpenSSH OpenSSH_6.0p1 Debian-4+deb7u3
Thank you
2017-06-21 17:21 GMT+03:00 Azoff, Justin S <jazoff at illinois.edu>:
>
> > On Jun 21, 2017, at 8:45 AM, Anton Egorov <egoant495 at gmail.com> wrote:
> >
> > Hi,
> >
> > Bro somehow doesn't detect the SSH client version when listening on a
> local network interface.
>
> see
>
> https://www.bro.org/documentation/faq.html#why-
> isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
>
> --
> - Justin Azoff
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170621/df4b20be/attachment-0001.html
More information about the Bro
mailing list