Hello,
after completing another project I had some time to dig into the issue a
little bit deeper. I've come across this site:
https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full…
I turns out my interface was misconfigured. Disabling some offloads solved
the issue and overall loss has dropped significantly.
Thank you for your help!
Jakub
czw., 2 wrz 2021 o 16:02 Vlad Grigorescu <vlad at es.net> napisał(a):
> Jakub,
>
> Sorry for the delay on this, I was also out and then it fell off my radar.
>
> I think your answer lies in the missed_bytes field of the conn log. All of
> the connections from your ssh.log had traffic that Zeek did not see. Since
> Zeek has no way of knowing what transpired in those missed bytes, the SSH
> analyzer will never flag those connections as successful or failed.
>
> The mailing list or Slack might have some suggestions on how to determine
> the cause of your missed bytes, and what the solution might be.
>
> --Vlad
>
> On Thu, Aug 19, 2021 at 9:58 AM Jakub Niezabitowski <
> kuba.michal.n at gmail.com> wrote:
>
>> Hello,
>>
>> I will be out for about a week. Sorry for your inconvenience. If there
>> will be any update I will write as soon as I can.
>>
>> Thank you for your support.
>> Jakub
>>
>> czw., 19 sie 2021 o 15:25 Jakub Niezabitowski <kuba.michal.n at gmail.com>
>> napisał(a):
>>
>>> This is output of zeek -v:
>>> ./zeek version 4.1.0-dev.750
>>>
>>> ssh.log:
>>>
>>> {"ts":1629353969.834005,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629355319.70739,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629355326.102184,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629363511.517178,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629359395.93802,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629359403.032656,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629362225.296699,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629361952.911338,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368286.231978,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368323.887805,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629368384.265589,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629369473.554433,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629369478.658333,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629363611.176921,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629363530.397083,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4"}
>>> {"ts":1629366392.592983,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>> {"ts":1629365717.892757,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI
>>> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com
>>> ","mac_alg":"umac-64-etm at openssh.com
>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"}
>>>
>>> conn.log:
>>>
>>> {"ts":1629353969.732991,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1343.1681571006776,"orig_bytes":10765,"resp_bytes":1249389,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":372560,"history":"ShADadCGcggctgtcFRf","orig_pkts":2290,"orig_ip_bytes":128761,"resp_pkts":1878,"resp_ip_bytes":1005437}
>>>
>>> {"ts":1629355322.821648,"uid":"CBGul41OnibExQK9O6","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":88.76865911483765,"orig_bytes":0,"resp_bytes":1048,"conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^dt","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":4,"resp_ip_bytes":4400}
>>>
>>> {"ts":1629355319.682793,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3674.8831601142885,"orig_bytes":5049,"resp_bytes":2136781,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":9868,"history":"ShADadcgttR","orig_pkts":4225,"orig_ip_bytes":225141,"resp_pkts":4243,"resp_ip_bytes":2382129}
>>>
>>> {"ts":1629355326.076816,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3696.138195991516,"orig_bytes":8641,"resp_bytes":2227993,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":47024,"history":"ShADadcggttcGR","orig_pkts":4504,"orig_ip_bytes":243421,"resp_pkts":4411,"resp_ip_bytes":2454697}
>>>
>>> {"ts":1629363511.478,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":26.2694411277771,"orig_bytes":3497,"resp_bytes":45209,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":28080,"history":"ShADadCGcggFRft","orig_pkts":88,"orig_ip_bytes":6557,"resp_pkts":66,"resp_ip_bytes":23653}
>>>
>>> {"ts":1629363542.919383,"uid":"CpYDAh26XA0tnFjqE8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363548.264316,"uid":"CKIeJ02kp7bqmZHQGa","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363558.951295,"uid":"Cy70hG3xbe0YraNLQ","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363580.29527,"uid":"ClzNXf3uL9jMAKVFN8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629363623.047142,"uid":"CM6AG64ej3HoBNCmV6","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576}
>>>
>>> {"ts":1629359395.898961,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2406.9871258735659,"orig_bytes":14529,"resp_bytes":1270377,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":231140,"history":"ShADadCGcggtcgTt","orig_pkts":2670,"orig_ip_bytes":152449,"resp_pkts":2337,"resp_ip_bytes":1196833}
>>>
>>> {"ts":1629359402.915081,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2431.203042984009,"orig_bytes":22009,"resp_bytes":3986829,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":401516,"history":"ShADadCGcgtTtgcGgc","orig_pkts":8571,"orig_ip_bytes":467389,"resp_pkts":8341,"resp_ip_bytes":4070913}
>>>
>>> {"ts":1629362225.253584,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":1795.6165931224824,"orig_bytes":23017,"resp_bytes":1719917,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":249976,"history":"ShAdDacggtctTg","orig_pkts":3808,"orig_ip_bytes":221809,"resp_pkts":3676,"resp_ip_bytes":1708085}
>>>
>>> {"ts":1629361952.865328,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2072.1008388996126,"orig_bytes":27917,"resp_bytes":1165281,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":322496,"history":"ShADadCGcgtTgctgc","orig_pkts":3158,"orig_ip_bytes":191313,"resp_pkts":2439,"resp_ip_bytes":1014905}
>>>
>>> {"ts":1629368286.226311,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":31.089575052261354,"orig_bytes":4095,"resp_bytes":7573,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGtFf","orig_pkts":50,"orig_ip_bytes":5807,"resp_pkts":35,"resp_ip_bytes":4377}
>>>
>>> {"ts":1629368323.882291,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":39.62539982795715,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":38,"orig_ip_bytes":4983,"resp_pkts":26,"resp_ip_bytes":3385}
>>>
>>> {"ts":1629368384.260782,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":95.20389604568482,"orig_bytes":4699,"resp_bytes":8045,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":78,"orig_ip_bytes":7855,"resp_pkts":48,"resp_ip_bytes":5441}
>>>
>>> {"ts":1629369473.551176,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4.286886930465698,"orig_bytes":3907,"resp_bytes":7169,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":5108,"history":"ShADadcgtFf","orig_pkts":42,"orig_ip_bytes":6111,"resp_pkts":29,"resp_ip_bytes":3661}
>>>
>>> {"ts":1629369478.65472,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1.974303960800171,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgtTCGFf","orig_pkts":39,"orig_ip_bytes":5535,"resp_pkts":27,"resp_ip_bytes":3909}
>>>
>>> {"ts":1629363611.137711,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":4322.946979999542,"orig_bytes":83385,"resp_bytes":4093093,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":1280948,"history":"ShADadcgcggttcTt","orig_pkts":9754,"orig_ip_bytes":592549,"resp_pkts":7344,"resp_ip_bytes":3280677}
>>>
>>> {"ts":1629363530.35789,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4444.6867852211,"orig_bytes":16493,"resp_bytes":2455029,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":99340,"history":"ShADadCGcgtgctT","orig_pkts":5389,"orig_ip_bytes":295961,"resp_pkts":5126,"resp_ip_bytes":2670001}
>>>
>>> {"ts":1629366392.574032,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5154.938705921173,"orig_bytes":14113,"resp_bytes":49097,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":17616,"history":"ShADadcgCGgc","orig_pkts":699,"orig_ip_bytes":49321,"resp_pkts":433,"resp_ip_bytes":55169}
>>>
>>> {"ts":1629365717.871532,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5869.062443971634,"orig_bytes":25417,"resp_bytes":123257,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":68778,"history":"ShADadcgCGTtgc","orig_pkts":1409,"orig_ip_bytes":97629,"resp_pkts":764,"resp_ip_bytes":96079}
>>>
>>> {"ts":1629378908.289358,"uid":"CgpvjA2SRGDerkjnt7","id.orig_h":"149.156.4.93","id.orig_p":33276,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":12.938737154006958,"orig_bytes":4699,"resp_bytes":8277,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6047,"history":"ShaGADdcgCtFf","orig_pkts":83,"orig_ip_bytes":8127,"resp_pkts":51,"resp_ip_bytes":5913}
>>>
>>> I also append new pcap in case logs for older one have been already
>>> rotated.
>>>
>>> Jakub
>>>
>>> czw., 19 sie 2021 o 13:42 Vlad Grigorescu <vlad at es.net> napisał(a):
>>>
>>>> When I run the PCAP through try.zeek.org, it reports auth_success as
>>>> T, https://try.zeek.org/#/tryzeek/saved/527994
>>>>
>>>> What version of Zeek? To verify that capture loss isn't an issue, can
>>>> you share the line from conn.log that you see for that connection?
>>>>
>>>> On Thu, Aug 19, 2021 at 5:47 AM Jakub Niezabitowski <
>>>> kuba.michal.n at gmail.com> wrote:
>>>>
>>>>> To add some context this is my node.cfg:
>>>>>
>>>>> [logger-1]
>>>>> type=logger
>>>>> host=localhost
>>>>> #
>>>>> [manager]
>>>>> type=manager
>>>>> host=localhost
>>>>> #
>>>>> [proxy-1]
>>>>> type=proxy
>>>>> host=localhost
>>>>> #
>>>>> [worker-1]
>>>>> type=worker
>>>>> host=localhost
>>>>> lb_procs=8
>>>>> lb_method=pf_ring
>>>>> pin_cpus=0,1,2,3,4,5,6,7
>>>>> interface=eth-mirror
>>>>>
>>>>> This machine can handle up to 8GBit/s of traffic, during capture it
>>>>> was about 1GBit/s.
>>>>>
>>>>>
>>>>> czw., 19 sie 2021 o 12:42 Jakub Niezabitowski <kuba.michal.n at gmail.com>
>>>>> napisał(a):
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> The data was gathered on same network interface as zeek. It was
>>>>>> filtered though to include only related traffic.
>>>>>>
>>>>>> I have logged in using host 149.156.4.93 to machine 149.156.9.136 and
>>>>>> executed few commands. Zeek is not showing auth_success field.
>>>>>>
>>>>>> After reading provided docs (
>>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…)
>>>>>> I assume it could be related to capture losses but it shouldn't. The amount
>>>>>> of traffic was way below average.
>>>>>>
>>>>>> Thank you for your help!
>>>>>> Jakub
>>>>>>
>>>>>>
>>>>>> śr., 18 sie 2021 o 14:27 Vlad Grigorescu <vlad at es.net> napisał(a):
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Aug 18, 2021 at 03:27 Jakub Niezabitowski <
>>>>>>> kuba.michal.n at gmail.com> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>> {"ts":1629151421.501644,"uid":"CUgRqs4tiJyHemzjs5","id.orig_h":"IP1","id.orig_p":41080,"id.resp_h":"IP2","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-Go","server":"SSH-2.0-OpenSSH_8.2p1
>>>>>>>> Ubuntu-4ubuntu0.2","cipher_alg":"aes128-gcm at openssh.com
>>>>>>>> ","mac_alg":"hmac-sha2-256-etm at openssh.com
>>>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256 at libssh.org
>>>>>>>> ","host_key_alg":"ecdsa-sha2-nistp256","host_key":"KEY1"}
>>>>>>>>
>>>>>>>
>>>>>>> This connection had “auth_attempts: 0,” so there was nothing to make
>>>>>>> a determination on.
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> {"ts":1629151420.84616,"uid":"CN6Tsq42Ki15BZF9J","id.orig_h":"IP3","id.orig_p":38122,"id.resp_h":"IP4","id.resp_p":22,"version":2,"auth_success":false,"auth_attempts":2,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-babeld-322814ef","cipher_alg":"
>>>>>>>> chacha20-poly1305 at openssh.com","mac_alg":"
>>>>>>>> hmac-sha2-256-etm at openssh.com
>>>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"rsa-sha2-512","host_key":"KEY2"}
>>>>>>>>
>>>>>>> This connection has “auth_success: false,” so it seems like a
>>>>>>> determination was made?
>>>>>>>
>>>>>>> The docs (
>>>>>>>
>>>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…)
>>>>>>> have a bit more info, but essentially, yes it is expected, and Zeek goes to
>>>>>>> some lengths to avoid false positives and negatives, at the expense of true
>>>>>>> positives. However, that doesn’t seem to be the case here?
>>>>>>>
>>>>>>> —Vlad
>>>>>>>
>>>>>>
Hi,
I have updated metadata_tostring_fix function in metadata.py. It's ugly but
it gets the job done:
```python
def metadata_tostring_fix(desc, nspair, xmlstring=""):
if not xmlstring:
xmlstring = desc.to_string(nspair)
try:
if "\"xs:string\"" in xmlstring and XMLNSXS not in xmlstring:
xmlstring = xmlstring.replace(MDNS, MDNS + XMLNSXS)
except TypeError:
if b"\"xs:string\"" in xmlstring and bXMLNSXS not in xmlstring:
xmlstring = xmlstring.replace(bMDNS, bMDNS + bXMLNSXS)
xmlstring_decoded = xmlstring.decode("utf-8") #JN
xmlstring = re.sub(r'(<\/ns0:ContactPerson>)', r'\1<md:ContactPerson
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" contactType="other"
remd:contactType="http://refeds.org/metadata/contactType/security"
xmlns:remd="http://refeds.org/metadata"><md:GivenName>Security Response
Team</md:GivenName><md:EmailAddress>mailto:security at xxxxxxxxxxxxxxx</md:EmailAddress></md:ContactPerson>',
xmlstring_decoded) #JN
xmlstring = bytes(xmlstring, 'utf-8') #JN
return xmlstring
```
czw., 2 wrz 2021 o 16:05 Jakub Niezabitowski <kuba.michal.n at gmail.com>
napisał(a):
> Hello Ivan,
>
> thank you for your quick response. Adding assurance_certification works
> great!
>
> czw., 2 wrz 2021 o 15:55 Ivan Kanakarakis <ivan.kanak at gmail.com>
> napisał(a):
>
>> hello Jakub,
>>
>> ## refeds metadata
>>
>> the refeds metadata is not known to pysaml2, and thus there is no way
>> to do this.
>> We can look into adding support and exposing that as part of the
>> configuration.
>>
>> Until that is in place, you can add a post processing rule on your
>> deployment proceed to inject the namespace and element as needed.
>>
>>
>> ## assurance certification
>>
>> To add an assurance certification you can add the following in your
>> saml frontend configuration:
>>
>> ```yaml
>> module: ...
>> name: ...
>> config:
>> idp_config:
>> ...
>> assurance_certification:
>> - https://refeds.org/sirtfi
>> ...
>> ```
>>
>>
>> On Thu, 2 Sept 2021 at 15:25, Jakub Niezabitowski
>> <kuba.michal.n at gmail.com> wrote:
>> >
>> > Hello,
>> >
>> > does anybody know how to specify remd:contactType for Satosa front-end?
>> It is necessary for Refeds. Example:
>> >
>> > <md:ContactPerson contactType="other" remd:contactType="
>> http://refeds.org/metadata/contactType/security">
>> > <md:Company>XYZ</md:Company>
>> > <md:GivenName>ABC</md:GivenName>
>> > <md:SurName>Security</md:SurName>
>> > <md:EmailAddress>mailto:security at example.com</md:EmailAddress>
>> > </md:ContactPerson>
>> >
>> > I would be also very thankful for help in adding this static string to
>> metadata:
>> >
>> > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>> ...>
>> > <md:Extensions>
>> > <mdattr:EntityAttributes
>> xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
>> > <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>> >
>> Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
>> > <saml:AttributeValue>https://refeds.org/sirtfi
>> </saml:AttributeValue>
>> > </saml:Attribute>
>> > </mdattr:EntityAttributes>
>> > </md:Extensions>
>> > </md:EntityDescriptor>
>> >
>> > Thank you in advance for any help
>> > Jakub
>> > _______________________________________________
>> > satosa-users mailing list
>> > satosa-users at lists.sunet.se
>> > https://lists.sunet.se/listinfo/satosa-users
>>
>>
>>
>> --
>> Ivan c00kiemon5ter Kanakarakis >:3
>>
>
Hello,
does anybody know how to specify remd:contactType for Satosa front-end? It
is necessary for Refeds. Example:
<md:ContactPerson contactType="other" remd:contactType="
http://refeds.org/metadata/contactType/security">
<md:Company>XYZ</md:Company>
<md:GivenName>ABC</md:GivenName>
<md:SurName>Security</md:SurName>
<md:EmailAddress>mailto:security at example.com</md:EmailAddress>
</md:ContactPerson>
I would be also very thankful for help in adding this static string to
metadata:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ...>
<md:Extensions>
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oasis:names:tc:SAML:attribute:assurance-certification">
<saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
</md:Extensions>
</md:EntityDescriptor>
Thank you in advance for any help
Jakub
