[Bro] Enable ssh detection?

rahul rakesh rahulbroids at gmail.com
Tue Sep 18 13:06:25 PDT 2018 

Hi Jon,

Thank you for the ,response.

In detail, I will explain the issue.

I have created one bro script file "log-sample.bro",in which three SSH
events
are defined with  log stmts in simple way. It was also configured properly.

After that, SSH client and server connection is made and it is successful.
And then ,this whole connection is captured in "newssh3aes.pcapng".

Those two files mentioned   are  attached.

When log-sample.bro is executed with newssh3aes.pcapng file, only
ssh_client_version
event is generated,but other two ssh events such as "ssh_auth_successful"
and "ssh_auth_failed"
are not generated.

But if "log-sample.bro" is executed with "sshguess.pcap" provided by
Bro for testing  ,then all the above three events are generated.

It seems the way bro  made the  SSH connection and my connection are
different.

Can you check and tell what mistake i am making either on code side,ssh
configuration side?

thank you
ravi







On Wed, Sep 19, 2018 at 10:18 PM Jon Siwek <jsiwek at corelight.com> wrote:

> On Wed, Sep 19, 2018 at 7:39 AM rahul rakesh <rahulbroids at gmail.com>
> wrote:
>
> > PFA created pcap file after performing ssh logins.
> > When it was used also , the ssh events are bot
> > generating excepting version event.
>
> Maybe attach the particular script you are using to make the
> determination that the events are not being generated, because I do
> see `ssh_auth_failed` get raised for that pcap.  Or elaborate on what
> you expect to see versus what you are not seeing.
>
> Also note, as the docs say, failure/success determinations are made
> via packet size analysis and aren't generally guaranteed to be made if
> there's ambiguity.
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/b2d0b0ec/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log-sample.bro
Type: application/octet-stream
Size: 2750 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/b2d0b0ec/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: newssh3aes.pcapng
Type: application/octet-stream
Size: 24372 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180919/b2d0b0ec/attachment-0003.obj

More information about the Bro mailing list