[satosa-users] [Zeek] Zeek is not always detecting outcome of SSH connections.

Jakub, Sorry for the delay on this, I was also out and then it fell off my radar. I think your answer lies in the missed_bytes field of the conn log. All of the connections from your ssh.log had traffic that Zeek did not see. Since Zeek has no way of knowing what transpired in those missed bytes, the SSH analyzer will never flag those connections as successful or failed. The mailing list or Slack might have some suggestions on how to determine the cause of your missed bytes, and what the solution might be. --Vlad On Thu, Aug 19, 2021 at 9:58 AM Jakub Niezabitowski < kuba.michal.n at gmail.com> wrote: > Hello, > > I will be out for about a week. Sorry for your inconvenience. If there > will be any update I will write as soon as I can. > > Thank you for your support. > Jakub > > czw., 19 sie 2021 o 15:25 Jakub Niezabitowski <kuba.michal.n at gmail.com> > napisał(a): > >> This is output of zeek -v: >> ./zeek version 4.1.0-dev.750 >> >> ssh.log: >> >> {"ts":1629353969.834005,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629355319.70739,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >> ","mac_alg":"umac-64-etm at openssh.com >> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >> {"ts":1629355326.102184,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >> ","mac_alg":"umac-64-etm at openssh.com >> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >> {"ts":1629363511.517178,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629359395.93802,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629359403.032656,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629362225.296699,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >> ","mac_alg":"umac-64-etm at openssh.com >> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >> {"ts":1629361952.911338,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629368286.231978,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629368323.887805,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629368384.265589,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629369473.554433,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629369478.658333,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.5p1-hpn15v2","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629363611.176921,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >> ","mac_alg":"umac-64-etm at openssh.com >> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >> {"ts":1629363530.397083,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.6","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4"} >> {"ts":1629366392.592983,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >> ","mac_alg":"umac-64-etm at openssh.com >> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >> {"ts":1629365717.892757,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-OpenSSH_7.4p1c-GSI >> GSI-hpn14v13-OpenSSH_7.4","cipher_alg":"chacha20-poly1305 at openssh.com >> ","mac_alg":"umac-64-etm at openssh.com >> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"ecdsa-sha2-nistp256","host_key":"16:e5:7f:69:45:d0:0f:6c:49:8d:c0:99:0b:e1:e9:dd"} >> >> conn.log: >> >> {"ts":1629353969.732991,"uid":"C6vC4b2O0r71ggNi25","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1343.1681571006776,"orig_bytes":10765,"resp_bytes":1249389,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":372560,"history":"ShADadCGcggctgtcFRf","orig_pkts":2290,"orig_ip_bytes":128761,"resp_pkts":1878,"resp_ip_bytes":1005437} >> >> {"ts":1629355322.821648,"uid":"CBGul41OnibExQK9O6","id.orig_h":"149.156.4.93","id.orig_p":42814,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":88.76865911483765,"orig_bytes":0,"resp_bytes":1048,"conn_state":"OTH","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^dt","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":4,"resp_ip_bytes":4400} >> >> {"ts":1629355319.682793,"uid":"C0c0604XfdAEv7svZb","id.orig_h":"149.156.4.93","id.orig_p":42818,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3674.8831601142885,"orig_bytes":5049,"resp_bytes":2136781,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":9868,"history":"ShADadcgttR","orig_pkts":4225,"orig_ip_bytes":225141,"resp_pkts":4243,"resp_ip_bytes":2382129} >> >> {"ts":1629355326.076816,"uid":"ClskL8uZ1TVWjwYV5","id.orig_h":"149.156.4.93","id.orig_p":42820,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":3696.138195991516,"orig_bytes":8641,"resp_bytes":2227993,"conn_state":"RSTO","local_orig":false,"local_resp":false,"missed_bytes":47024,"history":"ShADadcggttcGR","orig_pkts":4504,"orig_ip_bytes":243421,"resp_pkts":4411,"resp_ip_bytes":2454697} >> >> {"ts":1629363511.478,"uid":"CcqehS1QVeUxz1B4Od","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":26.2694411277771,"orig_bytes":3497,"resp_bytes":45209,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":28080,"history":"ShADadCGcggFRft","orig_pkts":88,"orig_ip_bytes":6557,"resp_pkts":66,"resp_ip_bytes":23653} >> >> {"ts":1629363542.919383,"uid":"CpYDAh26XA0tnFjqE8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576} >> >> {"ts":1629363548.264316,"uid":"CKIeJ02kp7bqmZHQGa","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576} >> >> {"ts":1629363558.951295,"uid":"Cy70hG3xbe0YraNLQ","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576} >> >> {"ts":1629363580.29527,"uid":"ClzNXf3uL9jMAKVFN8","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576} >> >> {"ts":1629363623.047142,"uid":"CM6AG64ej3HoBNCmV6","id.orig_h":"149.156.4.93","id.orig_p":39662,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","conn_state":"SHR","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"^f","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":1,"resp_ip_bytes":576} >> >> {"ts":1629359395.898961,"uid":"ChjjxO1RDEYWkNATye","id.orig_h":"149.156.4.93","id.orig_p":56826,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2406.9871258735659,"orig_bytes":14529,"resp_bytes":1270377,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":231140,"history":"ShADadCGcggtcgTt","orig_pkts":2670,"orig_ip_bytes":152449,"resp_pkts":2337,"resp_ip_bytes":1196833} >> >> {"ts":1629359402.915081,"uid":"CjDb491bXc6cNybmn2","id.orig_h":"149.156.4.93","id.orig_p":56828,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2431.203042984009,"orig_bytes":22009,"resp_bytes":3986829,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":401516,"history":"ShADadCGcgtTtgcGgc","orig_pkts":8571,"orig_ip_bytes":467389,"resp_pkts":8341,"resp_ip_bytes":4070913} >> >> {"ts":1629362225.253584,"uid":"CowriFJduoVFdyFH1","id.orig_h":"149.156.4.93","id.orig_p":35404,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":1795.6165931224824,"orig_bytes":23017,"resp_bytes":1719917,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":249976,"history":"ShAdDacggtctTg","orig_pkts":3808,"orig_ip_bytes":221809,"resp_pkts":3676,"resp_ip_bytes":1708085} >> >> {"ts":1629361952.865328,"uid":"CFoYi71C4Nh1f5zlLk","id.orig_h":"149.156.4.93","id.orig_p":35402,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":2072.1008388996126,"orig_bytes":27917,"resp_bytes":1165281,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":322496,"history":"ShADadCGcgtTgctgc","orig_pkts":3158,"orig_ip_bytes":191313,"resp_pkts":2439,"resp_ip_bytes":1014905} >> >> {"ts":1629368286.226311,"uid":"CevlPO3R5JgpEwTLfe","id.orig_h":"149.156.4.93","id.orig_p":33266,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":31.089575052261354,"orig_bytes":4095,"resp_bytes":7573,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGtFf","orig_pkts":50,"orig_ip_bytes":5807,"resp_pkts":35,"resp_ip_bytes":4377} >> >> {"ts":1629368323.882291,"uid":"CSSAMgMkKpJnTYDOg","id.orig_h":"149.156.4.93","id.orig_p":33268,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":39.62539982795715,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":38,"orig_ip_bytes":4983,"resp_pkts":26,"resp_ip_bytes":3385} >> >> {"ts":1629368384.260782,"uid":"CszcwObIzxyaFRswi","id.orig_h":"149.156.4.93","id.orig_p":33270,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":95.20389604568482,"orig_bytes":4699,"resp_bytes":8045,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgCGFf","orig_pkts":78,"orig_ip_bytes":7855,"resp_pkts":48,"resp_ip_bytes":5441} >> >> {"ts":1629369473.551176,"uid":"C2iNBj2NrOS4TvWqed","id.orig_h":"149.156.4.93","id.orig_p":33272,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4.286886930465698,"orig_bytes":3907,"resp_bytes":7169,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":5108,"history":"ShADadcgtFf","orig_pkts":42,"orig_ip_bytes":6111,"resp_pkts":29,"resp_ip_bytes":3661} >> >> {"ts":1629369478.65472,"uid":"CZLjJa3oSIDiQD0Ko1","id.orig_h":"149.156.4.93","id.orig_p":33274,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":1.974303960800171,"orig_bytes":3907,"resp_bytes":7133,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6016,"history":"ShADadcgtTCGFf","orig_pkts":39,"orig_ip_bytes":5535,"resp_pkts":27,"resp_ip_bytes":3909} >> >> {"ts":1629363611.137711,"uid":"CanhZA2xCTZoDMPvng","id.orig_h":"149.156.4.93","id.orig_p":39666,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":4322.946979999542,"orig_bytes":83385,"resp_bytes":4093093,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":1280948,"history":"ShADadcgcggttcTt","orig_pkts":9754,"orig_ip_bytes":592549,"resp_pkts":7344,"resp_ip_bytes":3280677} >> >> {"ts":1629363530.35789,"uid":"CeYi3U1HCr8ADcerw9","id.orig_h":"149.156.4.93","id.orig_p":39664,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":4444.6867852211,"orig_bytes":16493,"resp_bytes":2455029,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":99340,"history":"ShADadCGcgtgctT","orig_pkts":5389,"orig_ip_bytes":295961,"resp_pkts":5126,"resp_ip_bytes":2670001} >> >> {"ts":1629366392.574032,"uid":"CuthbE1HzIye71DjVc","id.orig_h":"149.156.4.93","id.orig_p":54438,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5154.938705921173,"orig_bytes":14113,"resp_bytes":49097,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":17616,"history":"ShADadcgCGgc","orig_pkts":699,"orig_ip_bytes":49321,"resp_pkts":433,"resp_ip_bytes":55169} >> >> {"ts":1629365717.871532,"uid":"C9hAYf1UisBCzG2GL5","id.orig_h":"149.156.4.93","id.orig_p":54101,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","service":"ssh","duration":5869.062443971634,"orig_bytes":25417,"resp_bytes":123257,"conn_state":"S1","local_orig":false,"local_resp":false,"missed_bytes":68778,"history":"ShADadcgCGTtgc","orig_pkts":1409,"orig_ip_bytes":97629,"resp_pkts":764,"resp_ip_bytes":96079} >> >> {"ts":1629378908.289358,"uid":"CgpvjA2SRGDerkjnt7","id.orig_h":"149.156.4.93","id.orig_p":33276,"id.resp_h":"149.156.9.136","id.resp_p":22,"proto":"tcp","duration":12.938737154006958,"orig_bytes":4699,"resp_bytes":8277,"conn_state":"SF","local_orig":false,"local_resp":false,"missed_bytes":6047,"history":"ShaGADdcgCtFf","orig_pkts":83,"orig_ip_bytes":8127,"resp_pkts":51,"resp_ip_bytes":5913} >> >> I also append new pcap in case logs for older one have been already >> rotated. >> >> Jakub >> >> czw., 19 sie 2021 o 13:42 Vlad Grigorescu <vlad at es.net> napisał(a): >> >>> When I run the PCAP through try.zeek.org, it reports auth_success as >>> T, https://try.zeek.org/#/tryzeek/saved/527994 >>> >>> What version of Zeek? To verify that capture loss isn't an issue, can >>> you share the line from conn.log that you see for that connection? >>> >>> On Thu, Aug 19, 2021 at 5:47 AM Jakub Niezabitowski < >>> kuba.michal.n at gmail.com> wrote: >>> >>>> To add some context this is my node.cfg: >>>> >>>> [logger-1] >>>> type=logger >>>> host=localhost >>>> # >>>> [manager] >>>> type=manager >>>> host=localhost >>>> # >>>> [proxy-1] >>>> type=proxy >>>> host=localhost >>>> # >>>> [worker-1] >>>> type=worker >>>> host=localhost >>>> lb_procs=8 >>>> lb_method=pf_ring >>>> pin_cpus=0,1,2,3,4,5,6,7 >>>> interface=eth-mirror >>>> >>>> This machine can handle up to 8GBit/s of traffic, during capture it >>>> was about 1GBit/s. >>>> >>>> >>>> czw., 19 sie 2021 o 12:42 Jakub Niezabitowski <kuba.michal.n at gmail.com> >>>> napisał(a): >>>> >>>>> Hello, >>>>> >>>>> The data was gathered on same network interface as zeek. It was >>>>> filtered though to include only related traffic. >>>>> >>>>> I have logged in using host 149.156.4.93 to machine 149.156.9.136 and >>>>> executed few commands. Zeek is not showing auth_success field. >>>>> >>>>> After reading provided docs ( >>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…) >>>>> I assume it could be related to capture losses but it shouldn't. The amount >>>>> of traffic was way below average. >>>>> >>>>> Thank you for your help! >>>>> Jakub >>>>> >>>>> >>>>> śr., 18 sie 2021 o 14:27 Vlad Grigorescu <vlad at es.net> napisał(a): >>>>> >>>>>> >>>>>> >>>>>> On Wed, Aug 18, 2021 at 03:27 Jakub Niezabitowski < >>>>>> kuba.michal.n at gmail.com> wrote: >>>>>> >>>>>>> >>>>>>> {"ts":1629151421.501644,"uid":"CUgRqs4tiJyHemzjs5","id.orig_h":"IP1","id.orig_p":41080,"id.resp_h":"IP2","id.resp_p":22,"version":2,"auth_attempts":0,"client":"SSH-2.0-Go","server":"SSH-2.0-OpenSSH_8.2p1 >>>>>>> Ubuntu-4ubuntu0.2","cipher_alg":"aes128-gcm at openssh.com >>>>>>> ","mac_alg":"hmac-sha2-256-etm at openssh.com >>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256 at libssh.org >>>>>>> ","host_key_alg":"ecdsa-sha2-nistp256","host_key":"KEY1"} >>>>>>> >>>>>> >>>>>> This connection had “auth_attempts: 0,” so there was nothing to make >>>>>> a determination on. >>>>>> >>>>>>> >>>>>>> >>>>>>> {"ts":1629151420.84616,"uid":"CN6Tsq42Ki15BZF9J","id.orig_h":"IP3","id.orig_p":38122,"id.resp_h":"IP4","id.resp_p":22,"version":2,"auth_success":false,"auth_attempts":2,"client":"SSH-2.0-OpenSSH_8.1","server":"SSH-2.0-babeld-322814ef","cipher_alg":" >>>>>>> chacha20-poly1305 at openssh.com","mac_alg":" >>>>>>> hmac-sha2-256-etm at openssh.com >>>>>>> ","compression_alg":"none","kex_alg":"curve25519-sha256","host_key_alg":"rsa-sha2-512","host_key":"KEY2"} >>>>>>> >>>>>> This connection has “auth_success: false,” so it seems like a >>>>>> determination was made? >>>>>> >>>>>> The docs ( >>>>>> >>>>>> https://docs.zeek.org/en/master/scripts/base/protocols/ssh/main.zeek.html#i…) >>>>>> have a bit more info, but essentially, yes it is expected, and Zeek goes to >>>>>> some lengths to avoid false positives and negatives, at the expense of true >>>>>> positives. However, that doesn’t seem to be the case here? >>>>>> >>>>>> —Vlad >>>>>> >>>>>