'[Zeek] Re: Zeek is not always detecting outcome of SSH connections.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bro
Subject:    [Zeek] Re: Zeek is not always detecting outcome of SSH connections.
From:       Vlad Grigorescu <vlad () es ! net>
Date:       2021-08-18 12:27:26
Message-ID: CAPqbkwu_=0Y5h+dqAdtx1dxyX-8FK=6usmy0TBkK0fb3XUOfbg () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Wed, Aug 18, 2021 at 03:27 Jakub Niezabitowski <kuba.michal.n@gmail.com>
wrote:

> 
> {"ts":1629151421.501644,"uid":"CUgRqs4tiJyHemzjs5","id.orig_h":"IP1","id.orig_p":410 \
> 80,"id.resp_h":"IP2","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-Go","server":"SSH-2.0-OpenSSH_8.2p1
>  Ubuntu-4ubuntu0.2","cipher_alg":"aes128-gcm@openssh.com","mac_alg":"
> hmac-sha2-256-etm@openssh.com","compression_alg":"none","kex_alg":"
> curve25519-sha256@libssh.org
> ","host_key_alg":"ecdsa-sha2-nistp256","host_key":"KEY1"}
> 

This connection had "auth_attempts: 0," so there was nothing to make a
determination on.

> 
> 
> {"ts":1629151420.84616,"uid":"CN6Tsq42Ki15BZF9J","id.orig_h":"IP3","id.orig_p":38122 \
> ,"id.resp_h":"IP4","id.resp_p":22,"version":2,"auth_success":false,"auth_attempts":2 \
> ,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-babeld-322814ef","cipher_alg":" \
> chacha20-poly1305@openssh.com","mac_alg":"hmac-sha2-256-etm@openssh.com \
> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"rsa-sha2-512","host_key":"KEY2"}
>  
This connection has "auth_success: false," so it seems like a determination
was made?

The docs (
https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#id-ssh_auth_result)
 have a bit more info, but essentially, yes it is expected, and Zeek goes to
some lengths to avoid false positives and negatives, at the expense of true
positives. However, that doesn't seem to be the case here?

  —Vlad


[Attachment #5 (text/html)]

<div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Wed, Aug 18, 2021 at 03:27 Jakub Niezabitowski &lt;<a \
href="mailto:kuba.michal.n@gmail.com">kuba.michal.n@gmail.com</a>&gt; \
wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div \
dir="ltr"><font face="monospace" \
style="font-family:monospace;color:rgb(0,0,0)"><br>{&quot;ts&quot;:1629151421.501644,& \
quot;uid&quot;:&quot;CUgRqs4tiJyHemzjs5&quot;,&quot;id.orig_h&quot;:&quot;IP1&quot;,&q \
uot;id.orig_p&quot;:41080,&quot;id.resp_h&quot;:&quot;IP2&quot;,&quot;id.resp_p&quot;: \
22,&quot;version&quot;:2,&quot;auth_attempts&quot;:0,&quot;client&quot;:&quot;SSH-2.0-Go&quot;,&quot;server&quot;:&quot;SSH-2.0-OpenSSH_8.2p1 \
Ubuntu-4ubuntu0.2&quot;,&quot;cipher_alg&quot;:&quot;<a \
href="mailto:aes128-gcm@openssh.com" target="_blank" \
style="font-family:monospace">aes128-gcm@openssh.com</a>&quot;,&quot;mac_alg&quot;:&quot;<a \
href="mailto:hmac-sha2-256-etm@openssh.com" target="_blank" \
style="font-family:monospace">hmac-sha2-256-etm@openssh.com</a>&quot;,&quot;compression_alg&quot;:&quot;none&quot;,&quot;kex_alg&quot;:&quot;<a \
href="mailto:curve25519-sha256@libssh.org" target="_blank" \
style="font-family:monospace">curve25519-sha256@libssh.org</a>&quot;,&quot;host_key_al \
g&quot;:&quot;ecdsa-sha2-nistp256&quot;,&quot;host_key&quot;:&quot;KEY1&quot;}<br></font></div></blockquote><div \
dir="auto"><br></div><div dir="auto">This connection had "auth_attempts: 0," so there \
was nothing to make a determination  on.</div><blockquote class="gmail_quote" \
style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)" \
dir="auto"><div dir="ltr"><font face="monospace" \
style="font-family:monospace;color:rgb(0,0,0)"><br>{&quot;ts&quot;:1629151420.84616,&q \
uot;uid&quot;:&quot;CN6Tsq42Ki15BZF9J&quot;,&quot;id.orig_h&quot;:&quot;IP3&quot;,&quo \
t;id.orig_p&quot;:38122,&quot;id.resp_h&quot;:&quot;IP4&quot;,&quot;id.resp_p&quot;:22 \
,&quot;version&quot;:2,&quot;auth_success&quot;:false,&quot;auth_attempts&quot;:2,&quo \
t;client&quot;:&quot;SSH-2.0-OpenSSH_8.1&quot;,&quot;server&quot;:&quot;SSH-2.0-babeld-322814ef&quot;,&quot;cipher_alg&quot;:&quot;<a \
href="mailto:chacha20-poly1305@openssh.com" target="_blank" \
style="font-family:monospace">chacha20-poly1305@openssh.com</a>&quot;,&quot;mac_alg&quot;:&quot;<a \
href="mailto:hmac-sha2-256-etm@openssh.com" target="_blank" \
style="font-family:monospace">hmac-sha2-256-etm@openssh.com</a>&quot;,&quot;compressio \
n_alg&quot;:&quot;none&quot;,&quot;kex_alg&quot;:&quot;curve25519-sha256&quot;,&quot;h \
ost_key_alg&quot;:&quot;rsa-sha2-512&quot;,&quot;host_key&quot;:&quot;KEY2&quot;}</font></div></blockquote></div></div><div \
dir="auto">This connection has "auth_success: false," so it seems like a \
determination was made?</div><div dir="auto"><br></div><div dir="auto">The docs (<div \
dir="auto"><a href="https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.ze \
ek.html#id-ssh_auth_result">https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#id-ssh_auth_result</a>) \
have a bit more info, but essentially, yes it is expected, and Zeek goes to some \
lengths to avoid false positives and negatives, at the expense of true positives. \
However, that doesn't seem to be the case here?</div><div dir="auto"><br></div><div \
dir="auto">   —Vlad</div></div>



--
zeek mailing list -- zeek@lists.zeek.org
To unsubscribe send an email to zeek-leave@lists.zeek.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic