SSH auth_success state true set, but admin claims no logins
by Collyer, Jeffrey W (jwc3f)
So recently I saw an SSH login to a device from outside the US. I reported it to the end system admin. The Zeek log set the auth_success state to true, but the admin of the box claims no successful login and is pushing back that it is a false positive.
Have other Zeek users ever seen this? Is the SSH auth state detection mistaken here?
I don’t have pcaps to verify one way to the other, sadly.
{"_path":"ssh","_system_name":"corelight","_write_ts":"2019-09-12T22:26:32.106142Z","ts":"2019-09-12T22:26:31.226136Z","uid":"C95i0o2Jl77LXHb2R9","id.orig_h”:”x.x.x.x","id.orig_p":49670,"id.resp_h”:”x.x.x.x","id.resp_p":22,"version":2,"auth_success":true,"auth_attempts":1,"direction":"INBOUND","client":"SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4","server":"SSH-2.0-OpenSSH_7.4","cipher_alg":"chacha20-poly1305(a)openssh.com","mac_alg":"umac-64-etm(a)openssh.com","compression_alg":"none","kex_alg":"curve25519-sha256(a)libssh.org","host_key_alg":"ecdsa-sha2-nistp256","host_key":"68:1e:68:89:5e:e5:20:72:f7:e6:bf:21:de:07:3a:b1”}
Can anyone shed light on this?
Thanks
Jeff
Jeffrey Collyer
Information Security Engineer
University of Virginia
jwc3f(a)virginia.edu