[Bro] Bro doesn't detect SSH version in local network
Anton Egorov
egoant495 at gmail.com
Thu Jun 22 03:02:41 PDT 2017
Connection entries differs only in ` local_orig local_resp` fields.
What is the meaning of these connection parameters?
2017-06-21 18:56 GMT+03:00 Azoff, Justin S <jazoff at illinois.edu>:
> >
> > On Jun 21, 2017, at 11:48 AM, Anton Egorov <egoant495 at gmail.com> wrote:
> >
> > Thank you, I'll upgrade to the 2.5 but the results will be later.
> >
> > Here the connection logs.
>
> Both of those conn log entries show that your pcaps only have packets from
> the source and no packets from the destination. Bro needs to see both
> halves of the conversation in order to work right. I'm surprised the pcap
> from eth0 reports an ssh version at all.
>
> > For command:
> >
> > # /usr/local/bro/bin/bro -C -r /root/eth0-ssh.cap
> /usr/local/bro/share/bro/pluton/os-app-detect.bro local
> >
> > conn.log is:
> >
> > #separator \x09
> > #set_separator ,
> > #empty_field (empty)
> > #unset_field -
> > #path conn
> > #open 2017-06-21-18-39-12
> > #fields ts uid id.orig_h id.orig_p id.resp_h
> id.resp_p proto service duration orig_bytes
> resp_bytes conn_state local_orig local_resp
> missed_bytes history orig_pkts orig_ip_bytes resp_pkts
> resp_ip_bytes tunnel_parents orig_cc resp_cc sensorname
> > #types time string addr port addr port enum string
> interval count count string bool bool count string
> count count count count set[string] string string string
> > 1497975205.750554 CEKFhs8sv3uEuTO6e 10.31.10.189 34496
> 10.31.10.192 22 tcp ssh 1.860624 3151 0
> SH T T 0 SADF 24 4407 0 0
> (empty) - - (empty)
> > #close 2017-06-21-18-39-12
> >
> > And for command
> >
> > # /usr/local/bro/bin/bro -C -r /root/eth1-ssh.cap
> /usr/local/bro/share/bro/pluton/os-app-detect.bro local
> >
> > conn.log is:
> >
> > #separator \x09
> > #set_separator ,
> > #empty_field (empty)
> > #unset_field -
> > #path conn
> > #open 2017-06-21-18-40-03
> > #fields ts uid id.orig_h id.orig_p id.resp_h
> id.resp_p proto service duration orig_bytes
> resp_bytes conn_state local_orig local_resp
> missed_bytes history orig_pkts orig_ip_bytes resp_pkts
> resp_ip_bytes tunnel_parents orig_cc resp_cc sensorname
> > #types time string addr port addr port enum string
> interval count count string bool bool count string
> count count count count set[string] string string string
> > 1497975114.740641 CX1F8jnuI7WceEAP6 192.168.99.189 33384
> 192.168.99.192 22 tcp ssh 4.030616 3151 0
> SH F F 0 SADF 25 4459 0 0
> (empty) - - (empty)
> > #close 2017-06-21-18-40-03
> >
> >
> > 2017-06-21 17:44 GMT+03:00 Azoff, Justin S <jazoff at illinois.edu>:
> >
> > > On Jun 21, 2017, at 10:37 AM, Anton Egorov <egoant495 at gmail.com>
> wrote:
> > >
> > > The offloading is disabled on both NIC's and the -C option also
> doesn't do the trick.
> > >
> > > While reading pcap of a saved ssh traffic bro outputs a warning:
> > >
> > > # /usr/local/bro/bin/bro -C -r /root/eth1-ssh.cap
> /usr/local/bro/share/bro/pluton/os-app-detect.bro local
> > > UNKNOWN
> > > 1497975118.771257 warning: Stream SOrfileNrXm8iGmlR6 is already queued
> for removal. Ignoring remove.
> > >
> > > while on a pcap from the other interface:
> > >
> > > # /usr/local/bro/bin/bro -C -r /root/eth0-ssh.cap
> /usr/local/bro/share/bro/pluton/os-app-detect.bro local
> > > UNKNOWN
> > > OpenSSH OpenSSH_6.0p1 Debian-4+deb7u3
> >
> > What does the full conn.log entry show for the SSH connection in these
> two cases?
> >
> > Can you upgrade bro to 2.5 or the 2.5.1 beta? 2.4.1 is almost a year
> old at this point.
> >
> > --
> > - Justin Azoff
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170622/c23a0c63/attachment.html
More information about the Bro
mailing list