Understanding Connection history for ssh.

Hi Bro team,

I am trying to understand the ‘history’ field in conn.log for failed and successful ssh logins.
Can we tell by looking into it whether the ssh connection was successful or not?

For ex: We had a case today where bro-intel flagged an IP to be bad with 85% confidence rate, and when we saw the conn.log corresponding to that uid, we saw that, that IP was trying to ssh into a machine.
Now the question is, can we tell by looking at the history - ShAdDa that the ssh was successful?

intel.log entry
1476046696.592070 CXs7MT25xi6ykmT3o1 77.242.90.96 50367 x.y.z.k 22 - - - 77.242.90.96 Intel::ADDR SSH::SUCCESSFUL_LOGIN worker-3-4 dataplane.org 85.0 scanner

conn.log entry
1476046725.508913 CXs7MT25xi6ykmT3o1 77.242.90.96 50367 x.y.z.k 22 tcp ssh 10.623538 1383 1843 S1 F T 0 ShAdDa 15 2171 15 2631 (empty)

ssh.log entry

1476046725.634328 CXs7MT25xi6ykmT3o1 77.242.90.96 50367 x.y.z.k 22 2 T INBOUND SSH-2.0-libssh2_1.7.0 SSH-2.0-1.82 sshlib: WinSSHD 4.27 aes256-cbc hmac-sha1 none diffie-hellman-group1-sha1 ssh-dss b9:93:6a:61:8d:29:01:ec:aa:01:1f:0e:90:0a:7b:6e CZ 84 Prerov 49.453899 17.4524

Also, what does the conn history would look like in case of failed ssh login?

Thanks for the help.

Thanks,
Fatema.

Fatema,
The T in your ssh.log is “auth_success”, so yes…bro views this as a successful login. Also, that source IP is not so good…that IP is listed in https://lists.blocklist.de/lists/ssh.txt.

James

Hi Bro team,

I am trying to understand the 'history' field in conn.log for failed
and successful ssh logins.
Can we tell by looking into it whether the ssh connection was
successful or not?

For ex: We had a case today where bro-intel flagged an IP to be bad
with 85% confidence rate, and when we saw the conn.log corresponding
to that uid, we saw that, that IP was trying to ssh into a machine.
Now the question is, can we tell by looking at the history - ShAdDa
that the ssh was successful?

intel.log entry
1476046696.592070 CXs7MT25xi6ykmT3o1 77.242.90.96 50367
X.Y.Z.K 22 - - - 77.242.90.96 Intel::ADDR SSH::SUCCESSFUL_LOGIN
worker-3-4 dataplane.org [1] 85.0 scanner

conn.log entry
1476046725.508913 CXs7MT25xi6ykmT3o1 77.242.90.96 50367
X.Y.Z.K 22 tcp ssh 10.623538 1383 1843 S1 F T 0
SHADDA 15 2171 15 2631 (empty)

ssh.log entry

1476046725.634328 CXs7MT25xi6ykmT3o1 77.242.90.96 50367
X.Y.Z.K 22 2 T INBOUND SSH-2.0-libssh2_1.7.0
SSH-2.0-1.82 sshlib: WinSSHD 4.27 aes256-cbc hmac-sha1
none diffie-hellman-group1-sha1 ssh-dss
b9:93:6a:61:8d:29:01:ec:aa:01:1f:0e:90:0a:7b:6e CZ 84 Prerov
                                 49.453899 17.4524

Also, what does the conn history would look like in case of failed ssh
login?

Thanks for the help.

Thanks,
Fatema.

Fatema,
The T in your ssh.log is "auth_success", so yes...bro views this as a successful login. Also, that
source IP is not so good...that IP is listed in https://lists.blocklist.de/lists/ssh.txt.

James

Be careful taking that column as fact. It seems like the success of an SSH connection is purely
based on the size of the response. A large SSH banner can cause a false positive.