SSH auth_success state true set, but admin claims no logins

Collyer_Jeffrey_W_jw · September 16, 2019, 6:14pm

So recently I saw an SSH login to a device from outside the US. I reported it to the end system admin. The Zeek log set the auth_success state to true, but the admin of the box claims no successful login and is pushing back that it is a false positive.

Have other Zeek users ever seen this? Is the SSH auth state detection mistaken here?
I don’t have pcaps to verify one way to the other, sadly.

{"_path":“ssh”,"_system_name":“corelight”,"_write_ts":“2019-09-12T22:26:32.106142Z”,“ts”:“2019-09-12T22:26:31.226136Z”,“uid”:“C95i0o2Jl77LXHb2R9”,“id.orig_h”:”x.x.x.x”,“id.orig_p”:49670,“id.resp_h”:”x.x.x.x”,“id.resp_p”:22,“version”:2,“auth_success”:true,“auth_attempts”:1,“direction”:“INBOUND”,“client”:“SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4”,“server”:“SSH-2.0-OpenSSH_7.4”,“cipher_alg”:“chacha20-poly1305@openssh.com”,“mac_alg”:“umac-64-etm@openssh.com”,“compression_alg”:“none”,“kex_alg”:“curve25519-sha256@libssh.org”,“host_key_alg”:“ecdsa-sha2-nistp256”,“host_key”:"68:1e:68:89:5e:e5:20:72:f7:e6:bf:21:de:07:3a:b1”}

Can anyone shed light on this?

Thanks
Jeff

Jeffrey Collyer
Information Security Engineer
University of Virginia
jwc3f@virginia.edu

Jim_Mellander · September 16, 2019, 7:08pm

Since Zeek only sees the encrypted traffic of an ssh session, it can only make a best-guess based on packet-size analysis, which is not necessarily going to be 100% accurate.

Vlad_Grigorescu · September 16, 2019, 9:39pm

Hi Jeffrey,

The SSH detection /should/ be fairly solid. I really tried to err on the side of caution, and to not make a determination if there was some room for doubt.

I haven’t heard any reports about what specifically might cause a false positive, but I would guess: some uncommon SSH option (e.g. a large banner?) or some aggressive TCP settings.

If you can duplicate this by trying to login against this server, and could share an anonymized PCAP, I’ll work updating the analyzer.

Thanks,

–Vlad

Vlad_Grigorescu · September 25, 2019, 4:26pm

Jeffrey,

I wanted to follow up on this and see if you were able to determine
any additional information.

Thanks!

--Vlad

Muth_Melissa_R · September 25, 2019, 5:17pm

The Zeek log set the auth_success state to true, but the admin of the box claims no successful login and is pushing back that it is a false positive.

Have other Zeek users ever seen this? Is the SSH auth state detection mistaken here?

It’s been my experience that auth_success isn’t reliable enough to be actionable.

Melissa

Melissa Muth

IT Architect, Office of Information Security

Information Systems & Computing

University of Pennsylvania

muthm@isc.upenn.edu 215-573-6798

Topic		Replies	Views
In some scenarios, zeek cannot capture the SSH login status Zeek	2	223	January 5, 2023
Zeek is not always detecting outcome of SSH connections. Zeek	3	152	May 6, 2022
Detect-bruteforcing.zeek does not work properly Zeek	4	231	May 8, 2024
ssh-detect-bruteforcing: auth_success and auth_attempts are not recorded in ssh.log Zeek	5	160	May 6, 2022
ssh connetions. Zeek	6	105	May 6, 2022

SSH auth_success state true set, but admin claims no logins

Related topics