Hi,
I am new to the bro(/zeek), and learning how it can be used as IDS in my Debian system.
I have installed bro and trying a simple bro script for detecting ssh bruteforcing.
bro version 2.5.5
used below command to monitor and check if it detects the ssh bruteforcing
bro -C -i enp0s3 /usr/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
from second machine i have attempted to login the bro mornitoring system with wrong passwords.
and i have checked ssh.log in the bro monitoring system, and i see empty fields for the fields auth_success and auth_attempts.
Hi,
I learnt that in the above log the following two fields are not recorded "auth_success" & "auth_attempts" and so it can not detect bruteforcing.
after googling i found that recording "auth_attempts" and "auth_success" is fixed in version 2.6.
https://github.com/zeek/zeek/issues/192
But when i apply the patch https://github.com/zeek/zeek/commit/46f727a6fa327e09d246d02148a2f5141512bc5a
to Bro version source code 2.5 i could still see the same problem not recorded "auth_success" & "auth_attempts"
Kindly guide me to fix this problem in version 2.5
Thanks
venkata.
Hello,
It’s not a good idea to run Bro 2.5.5. It’s unsupported and has security vulnerabilities.
Sincerely,
Richard
You could probably detect it by using the conn.log too. In theory lots of similar sized smalk responses to same source host where it does not look like much is changing might be brute force.
This assumes both the connection rate for new sessions are too numerous (but you need to account by for slower brute forces) and that the session seems short and smalk amounts of data, you would assume a deny would be similarly sized each time during a failed session.
Also you would assume there would be more than average unique ssh.log and conn.log entries. Hassh plugin may help too as you could identify no standard clients too by hashes and encryption used like how ja3 works. This would help identify actual nonstandard brute forcing tools by values, encryption and uniqueness in the environment if not using standard tools and just scripting them
Thank you Richard for your comment,
we were using Debian based system (buster version) where it uses bro version 2.5, and we were evaluating to use Bro in our systems but facing this problem (could not detect brute-forcing).
I have tried applying this patch https://github.com/zeek/zeek/commit/46f727a6fa327e09d246d02148a2f5141512bc5a but still no use.
Please suggest me if i can fix this issue in version 2.5
Thanks
venkata