Notice.log logs a Password_Guessing attempt but no logs in conn.log

Hi,

So I had a weird situation at work today.
The notice.log file logged an IP for “SSH::Password_Guessing” with note as “50.123.48.2 appears to be guessing SSH passwords (seen in 53 connections)”.

But when I check conn.log file during that time period and grep that IP, I just see single ssh established connection from that IP. I was assuming to get 53 bad ssh connections logged in conn.lo file.

What am I missing here?
How can I confirm whether that IP was actually doing a SSH password guessing attempt?

Thanks,
Fatema.

Hello Fatema,

you actually managed to stumble accross a bug here - apparently the event
that we use to determine when password guessing occurs can be raised
several times in the same connection (which probably is an error).

I filed a ticket for this, if you want you can track the progress at
https://bro-tracker.atlassian.net/browse/BIT-1641.

Thank you,
Johanna

Hi Johanna,

Thanks for looking into the issue, because currently we were blocking all the IPs reported by BRO doing SSH:Password_Guessing (from notice.log).And we have been doing that for almost 6 months now, but came across this situation when a legit IP got blocked for doing a Password_guessing according to BRO
and we were asked to produce the log files reporting that it was actually doing guessing, but we couldn’t because we didn’t find any logs to prove it…

I hope it gets fixed in the new version, because it’s a really cool feature to check to see all password guessing IPs and take necessary action against them.

Thanks for working on it, appreciate it.

Thanks,
Fatema.