SSHFP RR type in Bro Logs
by J. Edward Durrett
Narrowing that down and searching for similar records, I got
RR type 44 is SSHFP .
Searching through the Bro source I found the problem in this script:
Lines 24 and 25:
RR type 45 is IPSECKEY .
I filed an issue report  but this is also easily correctable on an already installed system. However, looking at the GitHub
page, it has been quite a while since this file was updated . That means, if a script were designed, for example, to parse
a log for SSHFP query types in order to correlate that with an SSH login, nothing would be found. If were designed to use the
code, 44, then it would work. The same goes for IPSECKEY.
It is also worth knowing, that there is a strong likelihood someone has noticed this before and wrote scripts knowing that
SINK=SSHFP. Before making a change in an existing configuration, care should be taken you are not breaking a previously
Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.
Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.