[Bro] Bro doesn't detect SSH version in local network
Azoff, Justin S
jazoff at illinois.edu
Wed Jun 21 07:44:58 PDT 2017
> On Jun 21, 2017, at 10:37 AM, Anton Egorov <egoant495 at gmail.com> wrote:
>
> The offloading is disabled on both NIC's and the -C option also doesn't do the trick.
>
> While reading pcap of a saved ssh traffic bro outputs a warning:
>
> # /usr/local/bro/bin/bro -C -r /root/eth1-ssh.cap /usr/local/bro/share/bro/pluton/os-app-detect.bro local
> UNKNOWN
> 1497975118.771257 warning: Stream SOrfileNrXm8iGmlR6 is already queued for removal. Ignoring remove.
>
> while on a pcap from the other interface:
>
> # /usr/local/bro/bin/bro -C -r /root/eth0-ssh.cap /usr/local/bro/share/bro/pluton/os-app-detect.bro local
> UNKNOWN
> OpenSSH OpenSSH_6.0p1 Debian-4+deb7u3
What does the full conn.log entry show for the SSH connection in these two cases?
Can you upgrade bro to 2.5 or the 2.5.1 beta? 2.4.1 is almost a year old at this point.
--
- Justin Azoff
More information about the Bro
mailing list