Ignore_checksum causes weird.log to stop logging unusual login attempts

Aneela_Safdar · August 3, 2016, 2:19pm

Hi,

I am monitoring weird.log file to look for unusual login attempts on different services running like SMB. But when I added ignore_checksum=T in local.bro weird.log stopped recording those login attempts. I am also in parallel reading ssh login requests which only logged by ssh.log if checksum is ignored.

Is there a way I could log attempts on both SMB and SSH services? How can I make a separate file for SMB related requests just login attempts would be fine coz weird.log doesnot log usernames and other essential info related to attack.

ssh.log file content, only logged when checksum is ignored:

{“ts”:“2016-08-03T13:37:44.054012Z”,“uid”:“CftFQ54On2aEMWTxe2”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:41146,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:46.403884Z”,“uid”:“CiPQlY3yKBXpFNAZy7”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:38431,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:53.591712Z”,“uid”:“CrBgS9RnVLTqoJ0Ch”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:42909,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“auth_success”:true,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:48.727616Z”,“uid”:“Cl8KRP2oeWFBeEu1c8”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:36868,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:51.030760Z”,“uid”:“CihwTS2fBKkKOnLQmh”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:34020,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:54.514701Z”,“uid”:“Cy9JZh7rnAmkUopic”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:46764,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:56.157141Z”,“uid”:“CPlFiq1B98W54N2CHb”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:39147,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}
{“ts”:“2016-08-03T13:37:58.399253Z”,“uid”:“CIUjNm1YN5VOCh2kMj”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:33347,“id.resp_h”:“192.168.227.101”,“id.resp_p”:22,“version”:2,“client”:“SSH-2.0-OpenSSH_5.0”,“server”:“SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6”,“cipher_alg”:“arcfour256”,“mac_alg”:“hmac-md5”,“compression_alg”:“none”,“kex_alg”:“diffie-hellman-group-exchange-sha1”,“host_key_alg”:“ssh-rsa”,“host_key”:“8d:df:71:ac:29:1f:67:6f:f3:dd:c3:e5:2e:5f:3e:b4”}

weird.log file content for SMB service login attempts, logged when checksum is not ignored

{“ts”:“2016-08-03T12:58:27.310293Z”,“uid”:“CX7tYC3dcJRhr7JHQf”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:34040,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.379358Z”,“uid”:“CX7tYC3dcJRhr7JHQf”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:34040,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.383344Z”,“uid”:“CU8OtK24mBy3xArCUf”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:35751,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.434387Z”,“uid”:“CU8OtK24mBy3xArCUf”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:35751,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.437407Z”,“uid”:“CJxYrM2ZDvbfXrOOMg”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:37063,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.493461Z”,“uid”:“CJxYrM2ZDvbfXrOOMg”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:37063,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.496109Z”,“uid”:“CmyLjl40RuIbPyIfGg”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:37447,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.560012Z”,“uid”:“CmyLjl40RuIbPyIfGg”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:37447,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.567962Z”,“uid”:“Cdkk3l4VSBL9hHfMyc”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:38688,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.629859Z”,“uid”:“Cdkk3l4VSBL9hHfMyc”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:38688,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.633006Z”,“uid”:“CWPSxs3IcmDxCuZlFc”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:39016,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.696545Z”,“uid”:“CWPSxs3IcmDxCuZlFc”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:39016,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.712067Z”,“uid”:“CVBsOs3XLLccpSJBZe”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:42692,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.803202Z”,“uid”:“CVBsOs3XLLccpSJBZe”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:42692,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.805073Z”,“uid”:“CJgitl2mjXr4YEnw3f”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:42910,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.871340Z”,“uid”:“CJgitl2mjXr4YEnw3f”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:42910,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}
{“ts”:“2016-08-03T12:58:27.896425Z”,“uid”:“CAFrrn2rYMKZtslpVl”,“id.orig_h”:“192.168.227.102”,“id.orig_p”:35664,“id.resp_h”:“192.168.227.101”,“id.resp_p”:445,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}

Thanks,

Regards,

Aneela Safdar

johanna · August 3, 2016, 7:39pm

Hi Aneela,

weird.log is not really the place to look for unusual login attemps; in
this case, all the messages you see are caused by problems of the TCP
traffic that Bro sees; due to issues with your NIC, the checksums are not
correct, Bro discards packets with incorrect checksums, and the remaining
traffic looks broken.

When you set ignore_checksum to true, Bro ignores broken checksums and
sees all the traffic - which makes the weirds that were reported because
of TCP oddities go away. You will still find these connections in
conn.log. There is no smb.log (or similar), because Bro currently does not
ship with a working SMB analyzer; however, we are working on this and an
SMB analyzer should be merged into the Bro master within the next weeks
(the branch is accessible on git). Depending on your traffic, this might
then log the information that you want.

I hope this helps,
Johanna

Topic		Replies	Views
Notice.log logs a Password_Guessing attempt but no logs in conn.log Zeek	3	66	May 6, 2022
ftp.log file isn't logging ftp related requests. Zeek	3	71	May 6, 2022
Weird stuff in weird.log? Zeek	4	159	May 6, 2022
The code for "weird" logging activity. Zeek	3	60	May 6, 2022
ignoring all weird? Zeek	10	108	May 6, 2022

Ignore_checksum causes weird.log to stop logging unusual login attempts

Related Topics