Bro doesn't detect SSH version in local network


Bro somehow doesn’t detect the SSH client version when listening on a local network interface. The machine with installed Bro has two network interfaces. One is in the company common network and the other is in the small test network. Small network has address in a space. Other machines in the small network has the two interfaces for intranet and test network as well.

When ssh connection is established from test machine and Bro is listening on eth0 interface the ssh client version gets detected. But if ssh connection targets the eth1 interface which Bro is listening nothing gets detected.

Here are the interfaces on machine with installed bro:


eth0 Link encap:Ethernet HWaddr 00:50:56:99:76:5f
inet addr: Bcast: Mask:
RX packets:346628470 errors:0 dropped:1417 overruns:0 frame:0
TX packets:327889 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:104910129783 (97.7 GiB) TX bytes:77220087 (73.6 MiB)

eth1 Link encap:Ethernet HWaddr 00:50:56:99:74:81
inet addr: Bcast: Mask:
RX packets:1648090595 errors:0 dropped:20 overruns:0 frame:0
TX packets:645 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:98885922776 (92.0 GiB) TX bytes:93928 (91.7 KiB)

Bro is started like that

bro -i eth0 os-app-detect.bro local

or for a local interface

bro -i eth1 os-app-detect.bro local

The output that shows in the first case is:

OpenSSH OpenSSH_6.0p1 Debian-4+deb7u3

The connections from a test machine runs like that
On eth0 interface (Bro detects it)

ssh root@

On eht1 interface (Bro doesn’t detect it)

ssh root@

The .bro script for printing SSH client version:


The offloading is disabled on both NIC’s and the -C option also doesn’t do the trick.

While reading pcap of a saved ssh traffic bro outputs a warning:

/usr/local/bro/bin/bro -C -r /root/eth1-ssh.cap /usr/local/bro/share/bro/pluton/os-app-detect.bro local

1497975118.771257 warning: Stream SOrfileNrXm8iGmlR6 is already queued for removal. Ignoring remove.

while on a pcap from the other interface:

/usr/local/bro/bin/bro -C -r /root/eth0-ssh.cap /usr/local/bro/share/bro/pluton/os-app-detect.bro local

OpenSSH OpenSSH_6.0p1 Debian-4+deb7u3

Thank you

What does the full conn.log entry show for the SSH connection in these two cases?

Can you upgrade bro to 2.5 or the 2.5.1 beta? 2.4.1 is almost a year old at this point.

Connection entries differs only in local_orig local_resp fields. What is the meaning of these connection parameters?

Ah, so you have 2 separate problems here.

Your first problem was that bro was only seeing half of the traffic. Note, this does not have anything to do with wether or not you ran an ls command. The TCP 3 way handshake and the ssh negotiation would include traffic from both sides.

Your latest conn log entry shows a proper record with packets from both directions of the connection, so whatever the issue you were having with that has been resolved.

Your second problem is that you are using the Software::log_software event. By default this will only log software seen on local ip addresses. For a bro installation that is using broctl this is controlled by /usr/local/bro/etc/networks.cfg. If you're normally using broctl just ensure that and (or whatever larger block you are using) is present in that file. If you're not using broctl just use another script that includes

redef Site::local_nets = {, # Private IP space, # Private IP space

Thank you very much. After setting proper local IP space it is working.