ssh-detect-bruteforcing: auth_success and auth_attempts are not recorded in ssh.log


I am new to the bro(/zeek), and learning how it can be used as IDS in my Debian system.

I have installed bro and trying a simple bro script for detecting ssh bruteforcing.
bro version 2.5.5
used below command to monitor and check if it detects the ssh bruteforcing
bro -C -i enp0s3 /usr/share/bro/policy/protocols/ssh/detect-bruteforcing.bro

from second machine i have attempted to login the bro mornitoring system with wrong passwords.
and i have checked ssh.log in the bro monitoring system, and i see empty fields for the fields auth_success and auth_attempts.


I learnt that in the above log the following two fields are not recorded "auth_success" & "auth_attempts" and so it can not detect bruteforcing.

after googling i found that recording "auth_attempts" and "auth_success" is fixed in version 2.6.

But when i apply the patch
to Bro version source code 2.5 i could still see the same problem not recorded "auth_success" & "auth_attempts"

Kindly guide me to fix this problem in version 2.5



It’s not a good idea to run Bro 2.5.5. It’s unsupported and has security vulnerabilities.



You could probably detect it by using the conn.log too. In theory lots of similar sized smalk responses to same source host where it does not look like much is changing might be brute force.

This assumes both the connection rate for new sessions are too numerous (but you need to account by for slower brute forces) and that the session seems short and smalk amounts of data, you would assume a deny would be similarly sized each time during a failed session.

Also you would assume there would be more than average unique ssh.log and conn.log entries. Hassh plugin may help too as you could identify no standard clients too by hashes and encryption used like how ja3 works. This would help identify actual nonstandard brute forcing tools by values, encryption and uniqueness in the environment if not using standard tools and just scripting them

Thank you Richard for your comment,

we were using Debian based system (buster version) where it uses bro version 2.5, and we were evaluating to use Bro in our systems but facing this problem (could not detect brute-forcing).

I have tried applying this patch but still no use.

Please suggest me if i can fix this issue in version 2.5