[Zeek] SSH auth_success state true set, but admin claims no logins

Vlad Grigorescu vlad at es.net
Wed Sep 25 09:26:20 PDT 2019 

Jeffrey,

I wanted to follow up on this and see if you were able to determine
any additional information.

Thanks!

  --Vlad

On Mon, Sep 16, 2019 at 9:39 PM Vlad Grigorescu <vlad at es.net> wrote:
>
> Hi Jeffrey,
>
> The SSH detection /should/ be fairly solid. I really tried to err on the side of caution, and to not make a determination if there was some room for doubt.
>
> I haven't heard any reports about what specifically might cause a false positive, but I would guess: some uncommon SSH option (e.g. a large banner?) or some aggressive TCP settings.
>
> If you can duplicate this by trying to login against this server, and could share an anonymized PCAP, I'll work updating the analyzer.
>
> Thanks,
>
>   --Vlad
>
> On Mon, Sep 16, 2019 at 7:17 PM Jim Mellander <jmellander at lbl.gov> wrote:
>>
>> Since Zeek only sees the encrypted traffic of an ssh session, it can only make a best-guess based on packet-size analysis, which is not necessarily going to be 100% accurate.
>>
>> On Mon, Sep 16, 2019 at 11:24 AM Collyer, Jeffrey W (jwc3f) <jwc3f at virginia.edu> wrote:
>>>
>>> So recently I saw an SSH login to a device from outside the US.  I reported it to the end system admin.  The Zeek log set the auth_success state to true, but the admin of the box claims no successful login and is pushing back that it is a false positive.
>>>
>>> Have other Zeek users ever seen this?  Is the SSH auth state detection mistaken here?
>>> I don’t have pcaps to verify one way to the other, sadly.
>>>
>>>
>>> {"_path":"ssh","_system_name":"corelight","_write_ts":"2019-09-12T22:26:32.106142Z","ts":"2019-09-12T22:26:31.226136Z","uid":"C95i0o2Jl77LXHb2R9","id.orig_h”:”x.x.x.x","id.orig_p":49670,"id.resp_h”:”x.x.x.x","id.resp_p":22,"version":2,"auth_success":true,"auth_attempts":1,"direction":"INBOUND","client":"SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4","server":"SSH-2.0-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com","mac_alg":"umac-64-etm at openssh.com","compression_alg":"none","kex_alg":"curve25519-sha256 at libssh.org","host_key_alg":"ecdsa-sha2-nistp256","host_key":"68:1e:68:89:5e:e5:20:72:f7:e6:bf:21:de:07:3a:b1”}
>>>
>>> Can anyone shed light on this?
>>>
>>> Thanks
>>> Jeff
>>>
>>>
>>> Jeffrey Collyer
>>> Information Security Engineer
>>> University of Virginia
>>> jwc3f at virginia.edu
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

More information about the Zeek mailing list