SSH::Login Notices for internal to internal connections can get fairly noisy.

What is the most efficient way to filter out these notices for internal to internal without filtering for external connections?

I was thinking of ignoring the SSH::Login notices altogether, but then I believe I need to add a new Notice Type and fire a new notice on event SSH::heuristic_successful_login. See example code below.

Is there a more efficient way of doing this? I know editing the base ssh bro script is a big no-no.

Thanks!
Mike

redef enum Notice::Type += {
Login_Success
};

This is our list of internal addresses to exclude

global ssh_ignore: set[subnet] = {
192.168.1.0/24, # internal 1
10.0.0.0/8, # internal 2
};

Ignore SSH::Login Notice Type

redef Notice::ignored_types += { SSH::Login };

Add new Notice Type to successful login

event SSH::heuristic_successful_login(c: connection) &priority=0
{
if ( c$id$resp_h !in ssh_ignore ) {
NOTICE([$note=Login_Success,
$msg=“Heuristically detected successful SSH login.”,
$conn=c]);
}
}

redef Notice::policy += {
        [$pred(n: Notice::Info) = {
                return ( n$note == SSH::Login &&
                         Site::is_local_addr(n$id$orig_h) &&
                         Site::is_local_addr(n$id$resp_h) );
         },
         $priority=10,
         $halt=T]
};

BTW, this answer is nasty and we're working now on making this generally easier for the next release.

Your approach of generating your own notice works well too.

I was considering removing the SSH::Login notice anyway. It's an anachronism of an older style of scripting and isn't so relevant anymore. Does anyone have any thoughts on the removal of the SSH::Login notice? Anyone actively use it?

  .Seth