Hi,
In my experiment, I need to use SSH analyzer simply to record a successful log in. I find that Bro comes with events, heuristic_successful_login, heuristic_failed_login, in policy file /share/bro/base/protocol/main.bro.
When I test these two events with the default implementation, I find that the log file always record a failed ssh log in to the system even if I log in correctly by user/authentication. I want to check when these two events are called, but I could not find ssh analyzer binpac code.
so I am wondering, how can I correctly record the ssh log in with user/password authentication and with the user name logged in plain text.
Best,
Hui
When I test these two events with the default implementation, I find that the log file always record a failed ssh log in to the system even if I log in correctly by user/authentication. I want to check when these two events are called, but I could not find ssh analyzer binpac code.
Those are script-land events. Currently all events generated by core code (typically the analyzers) are defined in events.bif. You can see in the SSH scripts where those events are generated.
The reason you're seeing a false positive is because the SSH successful login code uses a heuristic to guess if the login was successful or not and sometimes it's wrong.
so I am wondering, how can I correctly record the ssh log in with user/password authentication and with the user name logged in plain text.
That information is encrypted in SSH.
.Seth
When I test these two events with the default implementation, I find that the log file always record a failed ssh log in to the system even if I log in correctly by user/authentication. I want to check when these two events are called, but I could not find ssh analyzer binpac code.
Those are script-land events. Currently all events generated by core code (typically the analyzers) are defined in events.bif. You can see in the SSH scripts where those events are generated.
It seems that these two events are included in event.bif.bro any more.
The reason you’re seeing a false positive is because the SSH successful login code uses a heuristic to guess if the login was successful or not and sometimes it’s wrong
so I am wondering, how can I correctly record the ssh log in with user/password authentication and with the user name logged in plain text.
That information is encrypted in SSH.
I see.
I accidentally find that there is also syslog policy in Bro. I know that SSH login to the host machine will be logged in auth.log. I am wondering whether Bro can log the SSH login through the syslog policy. At least, I am not successful in my test.
It seems that these two events are included in event.bif.bro any more.
They never were included in that file since they aren't events from the core.
I accidentally find that there is also syslog policy in Bro. I know that SSH login to the host machine will be logged in auth.log. I am wondering whether Bro can log the SSH login through the syslog policy. At least, I am not successful in my test.
That's for analyzing the syslog protocol, you just have to make sure that the host sniffing traffic would see the syslog traffic or you could use the input framework from the upcoming Bro 2.1 (it's in the the master branch already) to read the log file in directly if it's on some host in your cluster.
.Seth