Hi,

Bro somehow doesn’t detect the SSH client version when listening on a local network interface. The machine with installed Bro has two network interfaces. One is in the company common network and the other is in the small test network. Small network has address in a 192.168.0.0/16 space. Other machines in the small network has the two interfaces for intranet and test network as well.

When ssh connection is established from test machine and Bro is listening on eth0 interface the ssh client version gets detected. But if ssh connection targets the eth1 interface which Bro is listening nothing gets detected.

Here are the interfaces on machine with installed bro:

ifconfig

eth0 Link encap:Ethernet HWaddr 00:50:56:99:76:5f
inet addr:10.31.10.190 Bcast:10.31.10.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:346628470 errors:0 dropped:1417 overruns:0 frame:0
TX packets:327889 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:104910129783 (97.7 GiB) TX bytes:77220087 (73.6 MiB)

eth1 Link encap:Ethernet HWaddr 00:50:56:99:74:81
inet addr:192.168.99.90 Bcast:192.168.99.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1648090595 errors:0 dropped:20 overruns:0 frame:0
TX packets:645 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:98885922776 (92.0 GiB) TX bytes:93928 (91.7 KiB)

Bro is started like that

bro -i eth0 os-app-detect.bro local

or for a local interface

bro -i eth1 os-app-detect.bro local

The output that shows in the first case is:

OpenSSH OpenSSH_6.0p1 Debian-4+deb7u3

The connections from a test machine runs like that
On eth0 interface (Bro detects it)

ssh root@10.31.10.190

On eht1 interface (Bro doesn’t detect it)

ssh root@192.168.99.90

The .bro script for printing SSH client version:

see

https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums

The offloading is disabled on both NIC’s and the -C option also doesn’t do the trick.

While reading pcap of a saved ssh traffic bro outputs a warning:

/usr/local/bro/bin/bro -C -r /root/eth1-ssh.cap /usr/local/bro/share/bro/pluton/os-app-detect.bro local

UNKNOWN
1497975118.771257 warning: Stream SOrfileNrXm8iGmlR6 is already queued for removal. Ignoring remove.

while on a pcap from the other interface:

/usr/local/bro/bin/bro -C -r /root/eth0-ssh.cap /usr/local/bro/share/bro/pluton/os-app-detect.bro local

UNKNOWN
OpenSSH OpenSSH_6.0p1 Debian-4+deb7u3

Thank you

What does the full conn.log entry show for the SSH connection in these two cases?

Can you upgrade bro to 2.5 or the 2.5.1 beta? 2.4.1 is almost a year old at this point.

Connection entries differs only in local_orig local_resp fields. What is the meaning of these connection parameters?

Ah, so you have 2 separate problems here.

Your first problem was that bro was only seeing half of the traffic. Note, this does not have anything to do with wether or not you ran an ls command. The TCP 3 way handshake and the ssh negotiation would include traffic from both sides.

Your latest conn log entry shows a proper record with packets from both directions of the connection, so whatever the issue you were having with that has been resolved.

Your second problem is that you are using the Software::log_software event. By default this will only log software seen on local ip addresses. For a bro installation that is using broctl this is controlled by /usr/local/bro/etc/networks.cfg. If you're normally using broctl just ensure that 192.168.99.0/24 and 10.31.10.0/24 (or whatever larger block you are using) is present in that file. If you're not using broctl just use another script that includes

redef Site::local_nets = {
  10.0.0.0/8, # Private IP space
  192.168.0.0/16, # Private IP space
};

Thank you very much. After setting proper local IP space it is working.