[Zeek] SSH auth_success state true set, but admin claims no logins

Vlad Grigorescu vlad at es.net
Mon Sep 16 14:39:54 PDT 2019

Hi Jeffrey,

The SSH detection /should/ be fairly solid. I really tried to err on the
side of caution, and to not make a determination if there was some room for

I haven't heard any reports about what specifically might cause a false
positive, but I would guess: some uncommon SSH option (e.g. a large
banner?) or some aggressive TCP settings.

If you can duplicate this by trying to login against this server, and could
share an anonymized PCAP, I'll work updating the analyzer.



On Mon, Sep 16, 2019 at 7:17 PM Jim Mellander <jmellander at lbl.gov> wrote:

> Since Zeek only sees the encrypted traffic of an ssh session, it can only
> make a best-guess based on packet-size analysis, which is not necessarily
> going to be 100% accurate.
> On Mon, Sep 16, 2019 at 11:24 AM Collyer, Jeffrey W (jwc3f) <
> jwc3f at virginia.edu> wrote:
>> So recently I saw an SSH login to a device from outside the US.  I
>> reported it to the end system admin.  The Zeek log set the auth_success
>> state to true, but the admin of the box claims no successful login and is
>> pushing back that it is a false positive.
>> Have other Zeek users ever seen this?  Is the SSH auth state detection
>> mistaken here?
>> I don’t have pcaps to verify one way to the other, sadly.
>> {"_path":"ssh","_system_name":"corelight","_write_ts":"2019-09-12T22:26:32.106142Z","ts":"2019-09-12T22:26:31.226136Z","uid":"C95i0o2Jl77LXHb2R9","id.orig_h”:”x.x.x.x","id.orig_p":49670,"id.resp_h”:”x.x.x.x","id.resp_p":22,"version":2,"auth_success":true,"auth_attempts":1,"direction":"INBOUND","client":"SSH-2.0-OpenSSH_7.2p2
>> Ubuntu-4ubuntu2.4","server":"SSH-2.0-OpenSSH_7.4","cipher_alg":"
>> chacha20-poly1305 at openssh.com","mac_alg":"umac-64-etm at openssh.com
>> ","compression_alg":"none","kex_alg":"curve25519-sha256 at libssh.org
>> ","host_key_alg":"ecdsa-sha2-nistp256","host_key":"68:1e:68:89:5e:e5:20:72:f7:e6:bf:21:de:07:3a:b1”}
>> Can anyone shed light on this?
>> Thanks
>> Jeff
>> Jeffrey Collyer
>> Information Security Engineer
>> University of Virginia
>> jwc3f at virginia.edu
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190916/d5410c1c/attachment-0001.html 

More information about the Zeek mailing list