[Zeek] SSH auth_success state true set, but admin claims no logins

Muth, Melissa R muthm at isc.upenn.edu
Wed Sep 25 10:17:18 PDT 2019 

> The Zeek log set the auth_success state to true, but the admin of the box claims no successful login and is pushing back that it is a false positive.

> Have other Zeek users ever seen this?  Is the SSH auth state detection mistaken here?

It’s been my experience that auth_success isn’t reliable enough to be actionable.

Melissa
- -

Melissa Muth

IT Architect, Office of Information Security

Information Systems & Computing

University of Pennsylvania

muthm at isc.upenn.edu   215-573-6798

From: <zeek-bounces at zeek.org> on behalf of Jim Mellander <jmellander at lbl.gov>
Date: Monday, September 16, 2019 at 3:09 PM
To: "Collyer, Jeffrey W (jwc3f)" <jwc3f at virginia.edu>
Cc: Bro <bro at bro.org>
Subject: Re: [Zeek] SSH auth_success state true set, but admin claims no logins

Since Zeek only sees the encrypted traffic of an ssh session, it can only make a best-guess based on packet-size analysis, which is not necessarily going to be 100% accurate.

On Mon, Sep 16, 2019 at 11:24 AM Collyer, Jeffrey W (jwc3f) <jwc3f at virginia.edu<mailto:jwc3f at virginia.edu>> wrote:
So recently I saw an SSH login to a device from outside the US.  I reported it to the end system admin.  The Zeek log set the auth_success state to true, but the admin of the box claims no successful login and is pushing back that it is a false positive.

Have other Zeek users ever seen this?  Is the SSH auth state detection mistaken here?
I don’t have pcaps to verify one way to the other, sadly.


{"_path":"ssh","_system_name":"corelight","_write_ts":"2019-09-12T22:26:32.106142Z","ts":"2019-09-12T22:26:31.226136Z","uid":"C95i0o2Jl77LXHb2R9","id.orig_h”:”x.x.x.x","id.orig_p":49670,"id.resp_h”:”x.x.x.x","id.resp_p":22,"version":2,"auth_success":true,"auth_attempts":1,"direction":"INBOUND","client":"SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4","server":"SSH-2.0-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com<mailto:chacha20-poly1305 at openssh.com>","mac_alg":"umac-64-etm at openssh.com<mailto:umac-64-etm at openssh.com>","compression_alg":"none","kex_alg":"curve25519-sha256 at libssh.org<mailto:curve25519-sha256 at libssh.org>","host_key_alg":"ecdsa-sha2-nistp256","host_key":"68:1e:68:89:5e:e5:20:72:f7:e6:bf:21:de:07:3a:b1”}

Can anyone shed light on this?

Thanks
Jeff


Jeffrey Collyer
Information Security Engineer
University of Virginia
jwc3f at virginia.edu<mailto:jwc3f at virginia.edu>
_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190925/a1902e42/attachment-0001.html

More information about the Zeek mailing list