[Bro] Bro Script to detect plain text passwords?

Seth Hall seth at icir.org
Tue Nov 4 18:09:00 PST 2014

> On Nov 4, 2014, at 6:24 PM, Jeff Hammett <jeff at jeffhammett.com> wrote:
> Does Bro have this functionality? Or would it be feasible to write a script to do so? (I haven’t written any scripts yet, but am interested).

Even better, it's something that we ship with, it just needs to be enabled.  We decided to have a default setting of not capturing passwords.  If you run Bro through BroControl, add the following line to your local.bro and do the check/install/restart commands in broctl.

redef HTTP::default_capture_password = T;

It will be in a field in your http.log named "password".  There will also be a field named "username".

> I think I would be most interested in detecting plain text passwords used for http logins, but wouldn’t mind monitoring for other protocols as well.

For FTP:
redef FTP::default_capture_password = T;

Channel passwords are logged by default for IRC too.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list