[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] Bro doesn't detect SSH version in local network
From: Anton Egorov <egoant495 () gmail ! com>
Date: 2017-06-22 15:39:53
Message-ID: CAKvmCT-ntMipKqBWvFsWJqgL2kNmPpeQ3xhrEFXScTmnYZ+8RA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thank you very much. After setting proper local IP space it is working.
2017-06-22 16:44 GMT+03:00 Azoff, Justin S <jazoff@illinois.edu>:
>
> > On Jun 22, 2017, at 6:02 AM, Anton Egorov <egoant495@gmail.com> wrote:
> >
> > Connection entries differs only in ` local_orig local_resp` fields.
> What is the meaning of these connection parameters?
>
> Ah, so you have 2 separate problems here.
>
> Your first problem was that bro was only seeing half of the traffic.
> Note, this does not have anything to do with wether or not you ran an ls
> command. The TCP 3 way handshake and the ssh negotiation would include
> traffic from both sides.
>
> Your latest conn log entry shows a proper record with packets from both
> directions of the connection, so whatever the issue you were having with
> that has been resolved.
>
> Your second problem is that you are using the Software::log_software
> event. By default this will only log software seen on local ip addresses.
> For a bro installation that is using broctl this is controlled by
> /usr/local/bro/etc/networks.cfg. If you're normally using broctl just
> ensure that 192.168.99.0/24 and 10.31.10.0/24 (or whatever larger block
> you are using) is present in that file. If you're not using broctl just
> use another script that includes
>
> redef Site::local_nets = {
> 10.0.0.0/8, # Private IP space
> 192.168.0.0/16, # Private IP space
> };
>
>
> --
> - Justin Azoff
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Thank you very much. After setting proper local IP space it is \
working.<br></div><div class="gmail_extra"><br><div class="gmail_quote">2017-06-22 \
16:44 GMT+03:00 Azoff, Justin S <span dir="ltr"><<a \
href="mailto:jazoff@illinois.edu" \
target="_blank">jazoff@illinois.edu</a>></span>:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class=""><br> > On Jun 22, 2017, at 6:02 AM, Anton \
Egorov <<a href="mailto:egoant495@gmail.com">egoant495@gmail.com</a>> \
wrote:<br> ><br>
> Connection entries differs only in ` local_orig local_resp` fields. What \
is the meaning of these connection parameters?<br> <br>
</span>Ah, so you have 2 separate problems here.<br>
<br>
Your first problem was that bro was only seeing half of the traffic. Note, this \
does not have anything to do with wether or not you ran an ls command. The TCP 3 \
way handshake and the ssh negotiation would include traffic from both sides.<br> <br>
Your latest conn log entry shows a proper record with packets from both directions of \
the connection, so whatever the issue you were having with that has been \
resolved.<br> <br>
Your second problem is that you are using the Software::log_software event. By \
default this will only log software seen on local ip addresses. For a bro \
installation that is using broctl this is controlled by \
/usr/local/bro/etc/networks.<wbr>cfg. If you're normally using broctl just \
ensure that <a href="http://192.168.99.0/24" rel="noreferrer" \
target="_blank">192.168.99.0/24</a> and <a href="http://10.31.10.0/24" \
rel="noreferrer" target="_blank">10.31.10.0/24</a> (or whatever larger block you are \
using) is present in that file. If you're not using broctl just use another \
script that includes<br> <br>
redef Site::local_nets = {<br>
<a href="http://10.0.0.0/8" rel="noreferrer" \
target="_blank">10.0.0.0/8</a>, # Private IP space<br>
<a href="http://192.168.0.0/16" rel="noreferrer" \
target="_blank">192.168.0.0/16</a>, # Private IP space<br> };<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
- Justin Azoff<br>
<br>
</font></span></blockquote></div><br></div>
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic