[Bro] Bro doesn't detect SSH version in local network
Azoff, Justin S
jazoff at illinois.edu
Thu Jun 22 06:44:48 PDT 2017
> On Jun 22, 2017, at 6:02 AM, Anton Egorov <egoant495 at gmail.com> wrote:
>
> Connection entries differs only in ` local_orig local_resp` fields. What is the meaning of these connection parameters?
Ah, so you have 2 separate problems here.
Your first problem was that bro was only seeing half of the traffic. Note, this does not have anything to do with wether or not you ran an ls command. The TCP 3 way handshake and the ssh negotiation would include traffic from both sides.
Your latest conn log entry shows a proper record with packets from both directions of the connection, so whatever the issue you were having with that has been resolved.
Your second problem is that you are using the Software::log_software event. By default this will only log software seen on local ip addresses. For a bro installation that is using broctl this is controlled by /usr/local/bro/etc/networks.cfg. If you're normally using broctl just ensure that 192.168.99.0/24 and 10.31.10.0/24 (or whatever larger block you are using) is present in that file. If you're not using broctl just use another script that includes
redef Site::local_nets = {
10.0.0.0/8, # Private IP space
192.168.0.0/16, # Private IP space
};
--
- Justin Azoff
More information about the Bro
mailing list