Zeek is not always detecting outcome of SSH connections.

Zeek
1

Hello,

as seen below zeek is not always detecting successful or failed ssh login attempts:

{“ts”:1629151421.501644,“uid”:“CUgRqs4tiJyHemzjs5”,“id.orig_h”:“IP1”,“id.orig_p”:41080,“id.resp_h”:“IP2”,“id.resp_p”:22,“version”:2,“auth_attempts”:0,“client”:“SSH-2.0-Go”,“server”:“SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2”,“cipher_alg”:“aes128-gcm@openssh.com”,“mac_alg”:“hmac-sha2-256-etm@openssh.com”,“compression_alg”:“none”,“kex_alg”:“curve25519-sha256@libssh.org”,“host_key_alg”:“ecdsa-sha2-nistp256”,“host_key”:“KEY1”}

{“ts”:1629151420.84616,“uid”:“CN6Tsq42Ki15BZF9J”,“id.orig_h”:“IP3”,“id.orig_p”:38122,“id.resp_h”:“IP4”,“id.resp_p”:22,“version”:2,“auth_success”:false,“auth_attempts”:2,“client”:“SSH-2.0-OpenSSH_8.1”,“server”:“SSH-2.0-babeld-322814ef”,“cipher_alg”:“chacha20-poly1305@openssh.com”,“mac_alg”:“hmac-sha2-256-etm@openssh.com”,“compression_alg”:“none”,“kex_alg”:“curve25519-sha256”,“host_key_alg”:“rsa-sha2-512”,“host_key”:“KEY2”}

Is it to be expected?

Thank you in advance!

Jakub

2

Hello,

Can you share a pcap?

Sincerely,

Richard

3

{“ts”:1629151421.501644,“uid”:“CUgRqs4tiJyHemzjs5”,“id.orig_h”:“IP1”,“id.orig_p”:41080,“id.resp_h”:“IP2”,“id.resp_p”:22,“version”:2,“auth_attempts”:0,“client”:“SSH-2.0-Go”,“server”:“SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2”,“cipher_alg”:“aes128-gcm@openssh.com”,“mac_alg”:“hmac-sha2-256-etm@openssh.com”,“compression_alg”:“none”,“kex_alg”:“curve25519-sha256@libssh.org”,“host_key_alg”:“ecdsa-sha2-nistp256”,“host_key”:“KEY1”}

This connection had “auth_attempts: 0,” so there was nothing to make a determination on.

{“ts”:1629151420.84616,“uid”:“CN6Tsq42Ki15BZF9J”,“id.orig_h”:“IP3”,“id.orig_p”:38122,“id.resp_h”:“IP4”,“id.resp_p”:22,“version”:2,“auth_success”:false,“auth_attempts”:2,“client”:“SSH-2.0-OpenSSH_8.1”,“server”:“SSH-2.0-babeld-322814ef”,“cipher_alg”:“chacha20-poly1305@openssh.com”,“mac_alg”:“hmac-sha2-256-etm@openssh.com”,“compression_alg”:“none”,“kex_alg”:“curve25519-sha256”,“host_key_alg”:“rsa-sha2-512”,“host_key”:“KEY2”}

This connection has “auth_success: false,” so it seems like a determination was made?

The docs (
https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#id-ssh_auth_result) have a bit more info, but essentially, yes it is expected, and Zeek goes to some lengths to avoid false positives and negatives, at the expense of true positives. However, that doesn’t seem to be the case here?

—Vlad