Question about duplicate traffic with load balancing and SSH::Password_Guessing

I'm trying to correlate the notices generated by SSH::Password_Guessing with bro/firewall logs.

I currently have detect-bruteforcing variables at the default of 30 failed SSH attempts over a 30 minute period as the limit before a host is considered to be guessing passwords and a notice is generated.


//Bro Notice
Message: appears to be guessing SSH passwords (seen in 62 connections).
Sub: Sampled servers:,,,, (yes it lists the same SSH server 5 times)
Dst: -
UID: -
File Mime Type: -
File Desc: -
Proto: -
P: -
N: -
Peer Descr: worker-2-2
Actions: Notice::ACTION_EMAIL,Notice::ACTION_LOG

// Bro ssh.log for that timeframe
[root@bro]# cat ssh.21\:00\:00-22\:00\:00.log | /usr/local/bro/bin/bro-cut -d ts id.orig_h auth_success | grep
2017-04-18T21:36:58-0400 T <--- this line is repeated 31 times
2017-04-18T21:37:45-0400 T <--- this line is repeated 31 times

Notice that auth_success is True.

//Firewall logs
Just shows the two (successful) ssh connections at the corresponding times.

My load balancing setup:


This is a single box with 32 cores.

In order for that configuration to work you need to have the myricom SNF drivers and pcap library installed, and bro must be using that pcap library.

If you are seeing the same connection logged 31 times then you are DEFINITELY not using the myricom provided pcap library.

If the myricom pcap library is not referenced in /etc/ or similar, you'll need something like this under the worker node: