Hello all,
We recently did a fresh install of Bro 2.1 on a new machine as per the quick start guide. This machine has been watching traffic for about a week now and all of the logs seem to be fine except for the SSH logs, which have the following problems.
-
These logs are not adding geo-location information. The MaxMind databases were installed and put in the proper location, and a quick bro script that called the lookup_location() function seems to be working fine in retrieving this information. However, none of this information is logged, even for heuristically successful connections.
-
About half of the entries in the SSH log have a status of “undetermined”. This is not something we saw before on our older machine, where every entry was listed as either a ‘success’ or ‘failure’ in the status column.
-
The “resp_size” field of every entry is 0. Once again, this is not something that we have seen before.
I should also mention that we have an older machine watching the exactly same network as this one (though with a smaller network card) and that one seems to be picking up on SSH traffic fine. Any idea what’s going on here?
Thank you,
N. Siow