Enable ssh detection?

rahul_rakesh · September 19, 2018, 8:56am

Hi all,

Given SSH example from Bro site is working fine ,when it is tested from the command line .
I mean SSH events such as failed and success are generated and also log is created.
But with out using ssh guess pcap file, when i do ssh thing between two systems, these
events such as ssh_auth_fail and success are NOT generating. Can you tell How to solve this issue?. or How can i enable SSH detection?

with regards
ravi

rahul_rakesh · September 19, 2018, 12:24pm

Hi

PFA created pcap file after performing ssh logins.
When it was used also , the ssh events are bot
generating excepting version event.

with regards
ravi

newssh3aes.pcapng (23.8 KB)

Jon_Siwek · September 19, 2018, 4:48pm

Maybe attach the particular script you are using to make the
determination that the events are not being generated, because I do
see `ssh_auth_failed` get raised for that pcap. Or elaborate on what
you expect to see versus what you are not seeing.

Also note, as the docs say, failure/success determinations are made
via packet size analysis and aren't generally guaranteed to be made if
there's ambiguity.

- Jon

rahul_rakesh · September 18, 2018, 8:06pm

Hi Jon,

Thank you for the ,response.

In detail, I will explain the issue.

I have created one bro script file “log-sample.bro”,in which three SSH events

are defined with log stmts in simple way. It was also configured properly.

After that, SSH client and server connection is made and it is successful.
And then ,this whole connection is captured in “newssh3aes.pcapng”.

Those two files mentioned are attached.

When log-sample.bro is executed with newssh3aes.pcapng file, only ssh_client_version

event is generated,but other two ssh events such as “ssh_auth_successful” and “ssh_auth_failed”

are not generated.

But if “log-sample.bro” is executed with “sshguess.pcap” provided by
Bro for testing ,then all the above three events are generated.

It seems the way bro made the SSH connection and my connection are different.

Can you check and tell what mistake i am making either on code side,ssh configuration side?

thank you

ravi

log-sample.bro (2.69 KB)

newssh3aes.pcapng (23.8 KB)

Jon_Siwek · September 20, 2018, 5:15pm

Thanks for explaining. One thing I noticed is that there's a
difference in events generated between Bro 2.5.5 and 2.6-beta, with
the later raising more events. The patch that results in the
difference is at [1] in case you want to try to apply it or else I'd
suggest trying out the beta version.

- Jon

[1] https://github.com/bro/bro/commit/7e374f8c3f800b7fc2cdd4cf36dab753d3013754

rahul_rakesh · September 24, 2018, 12:35pm

Hi Jon,

Thank you.
Made the changes in Bro 2.5.3 as you suggested,it is working fine.

One more thing, to execute the detect-MHR.bro file located in frameworks/files folder,
I think some pdf is required to test it. So, Can you suggest me where can i get pdf file?.

with regards
ravi

Topic		Replies	Views
Hui Lin_SSH Analyzer Zeek	4	46	May 6, 2022
Basic Question Zeek	8	69	May 6, 2022
Question about duplicate traffic with load balancing and SSH::Password_Guessing Zeek	2	53	May 6, 2022
event q. Zeek	1	70	May 6, 2022
SSH logging Zeek	3	82	May 6, 2022

Enable ssh detection?

Related Topics