[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: [Zeek] Zeek is not always detecting outcome of SSH connections.
From: Jakub Niezabitowski <kuba.michal.n () gmail ! com>
Date: 2021-08-17 10:58:53
Message-ID: CA+B7c484gYK+VMs88=0Gde=Tb-R8Y7h=Vs23mr=x3khpCmNJ1w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
as seen below zeek is not always detecting successful or failed ssh login
attempts:
{"ts":1629151421.501644,"uid":"CUgRqs4tiJyHemzjs5","id.orig_h":"IP1","id.orig_p":41080 \
,"id.resp_h":"IP2","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-Go","server":"SSH-2.0-OpenSSH_8.2p1
Ubuntu-4ubuntu0.2","cipher_alg":"aes128-gcm@openssh.com","mac_alg":"
hmac-sha2-256-etm@openssh.com","compression_alg":"none","kex_alg":"
curve25519-sha256@libssh.org
","host_key_alg":"ecdsa-sha2-nistp256","host_key":"KEY1"}
{"ts":1629151420.84616,"uid":"CN6Tsq42Ki15BZF9J","id.orig_h":"IP3","id.orig_p":38122," \
id.resp_h":"IP4","id.resp_p":22,"version":2,"auth_success":false,"auth_attempts":2,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-babeld-322814ef","cipher_alg":"
chacha20-poly1305@openssh.com","mac_alg":"hmac-sha2-256-etm@openssh.com
","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"rsa-sha2-512","host_key":"KEY2"}
Is it to be expected?
Thank you in advance!
Jakub
[Attachment #5 (text/html)]
<div dir="ltr">Hello,<br><br>as seen below zeek is not always detecting successful or \
failed ssh login attempts:<br><font \
face="monospace"><br>{"ts":1629151421.501644,"uid":"CUgRqs4ti \
JyHemzjs5","id.orig_h":"IP1","id.orig_p":41080,&quo \
t;id.resp_h":"IP2","id.resp_p":22,"version":2," \
;auth_attempts":0,"client":"SSH-2.0-Go","server":"SSH-2.0-OpenSSH_8.2p1 \
Ubuntu-4ubuntu0.2","cipher_alg":"<a \
href="mailto:aes128-gcm@openssh.com">aes128-gcm@openssh.com</a>","mac_alg":"<a \
href="mailto:hmac-sha2-256-etm@openssh.com">hmac-sha2-256-etm@openssh.com</a>","compression_alg":"none","kex_alg":"<a \
href="mailto:curve25519-sha256@libssh.org">curve25519-sha256@libssh.org</a>",&quo \
t;host_key_alg":"ecdsa-sha2-nistp256","host_key":"KEY1&q \
uot;}<br><br>{"ts":1629151420.84616,"uid":"CN6Tsq42Ki15BZF9J& \
quot;,"id.orig_h":"IP3","id.orig_p":38122,"id.resp_ \
h":"IP4","id.resp_p":22,"version":2,"auth_succ \
ess":false,"auth_attempts":2,"client":"SSH-2.0-OpenSSH_8 \
.1","server":"SSH-2.0-babeld-322814ef","cipher_alg":"<a \
href="mailto:chacha20-poly1305@openssh.com">chacha20-poly1305@openssh.com</a>","mac_alg":"<a \
href="mailto:hmac-sha2-256-etm@openssh.com">hmac-sha2-256-etm@openssh.com</a>",&q \
uot;compression_alg":"none","kex_alg":"curve25519-sha256 \
","host_key_alg":"rsa-sha2-512","host_key":"KEY2"}<br><font \
face="arial,sans-serif"><br></font></font><div><font face="monospace"><font \
face="arial,sans-serif">Is it to be \
expected?<br></font></font></div><div><br></div><font face="monospace"><font \
face="arial,sans-serif">Thank you in advance!<br></font></font><div><font \
face="arial,sans-serif">Jakub</font></div><div><font \
face="monospace"><br></font></div></div>
--
zeek mailing list -- zeek@lists.zeek.org
To unsubscribe send an email to zeek-leave@lists.zeek.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic