[Bro] Enable ssh detection?
Jon Siwek
jsiwek at corelight.com
Wed Sep 19 09:48:44 PDT 2018
On Wed, Sep 19, 2018 at 7:39 AM rahul rakesh <rahulbroids at gmail.com> wrote:
> PFA created pcap file after performing ssh logins.
> When it was used also , the ssh events are bot
> generating excepting version event.
Maybe attach the particular script you are using to make the
determination that the events are not being generated, because I do
see `ssh_auth_failed` get raised for that pcap. Or elaborate on what
you expect to see versus what you are not seeing.
Also note, as the docs say, failure/success determinations are made
via packet size analysis and aren't generally guaranteed to be made if
there's ambiguity.
- Jon
More information about the Bro
mailing list