Hi,
I am monitoring weird.log file to look for unusual login attempts on different services running like SMB. But when I added ignore_checksum=T in local.bro weird.log stopped recording those login attempts. I am also in parallel reading ssh login requests which only logged by ssh.log if checksum is ignored.
Is there a way I could log attempts on both SMB and SSH services? How can I make a separate file for SMB related requests just login attempts would be fine coz weird.log doesnot log usernames and other essential info related to attack.
ssh.log file content, only logged when checksum is ignored:
{“ts”:“2016-08-03T13:37:44.054012Z”,“uid”:“CftFQ54On2aEMWTxe2”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:41146,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:46.403884Z”,“uid”:“CiPQlY3yKBXpFNAZy7”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:38431,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:53.591712Z”,“uid”:“CrBgS9RnVLTqoJ0Ch”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:42909,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“auth_success”:true,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:48.727616Z”,“uid”:“Cl8KRP2oeWFBeEu1c8”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:36868,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:51.030760Z”,“uid”:“CihwTS2fBKkKOnLQmh”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:34020,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:54.514701Z”,“uid”:“Cy9JZh7rnAmkUopic”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:46764,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:56.157141Z”,“uid”:“CPlFiq1B98W54N2CHb”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:39147,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:58.399253Z”,“uid”:“CIUjNm1YN5VOCh2kMj”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:33347,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
weird.log file content for SMB service login attempts, logged when checksum is not ignored
{“ts”:“2016-08-03T12:58:27.310293Z”,“uid”:“CX7tYC3dcJRhr7JHQf”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:34040,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.379358Z”,“uid”:“CX7tYC3dcJRhr7JHQf”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:34040,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.383344Z”,“uid”:“CU8OtK24mBy3xArCUf”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:35751,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.434387Z”,“uid”:“CU8OtK24mBy3xArCUf”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:35751,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.437407Z”,“uid”:“CJxYrM2ZDvbfXrOOMg”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:37063,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.493461Z”,“uid”:“CJxYrM2ZDvbfXrOOMg”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:37063,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.496109Z”,“uid”:“CmyLjl40RuIbPyIfGg”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:37447,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.560012Z”,“uid”:“CmyLjl40RuIbPyIfGg”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:37447,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.567962Z”,“uid”:“Cdkk3l4VSBL9hHfMyc”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:38688,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.629859Z”,“uid”:“Cdkk3l4VSBL9hHfMyc”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:38688,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.633006Z”,“uid”:“CWPSxs3IcmDxCuZlFc”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:39016,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.696545Z”,“uid”:“CWPSxs3IcmDxCuZlFc”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:39016,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.712067Z”,“uid”:“CVBsOs3XLLccpSJBZe”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:42692,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.803202Z”,“uid”:“CVBsOs3XLLccpSJBZe”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:42692,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.805073Z”,“uid”:“CJgitl2mjXr4YEnw3f”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:42910,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.871340Z”,“uid”:“CJgitl2mjXr4YEnw3f”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:42910,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.896425Z”,“uid”:“CAFrrn2rYMKZtslpVl”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:35664,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
Thanks,
Regards,
Aneela Safdar