I'm trying to correlate the notices generated by SSH::Password_Guessing with bro/firewall logs.
I currently have detect-bruteforcing variables at the default of 30 failed SSH attempts over a 30 minute period as the limit before a host is considered to be guessing passwords and a notice is generated.
Message: 220.127.116.11 appears to be guessing SSH passwords (seen in 62 connections).
Sub: Sampled servers: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206 (yes it lists the same SSH server 5 times)
File Mime Type: -
File Desc: -
Peer Descr: worker-2-2
// Bro ssh.log for that timeframe
[root@bro]# cat ssh.21\:00\:00-22\:00\:00.log | /usr/local/bro/bin/bro-cut -d ts id.orig_h auth_success | grep 220.127.116.11
2017-04-18T21:36:58-0400 18.104.22.168 T <--- this line is repeated 31 times
2017-04-18T21:37:45-0400 22.214.171.124 T <--- this line is repeated 31 times
Notice that auth_success is True.
Just shows the two (successful) ssh connections at the corresponding times.
My load balancing setup:
This is a single box with 32 cores.