[Bro] Bro Script to detect plain text passwords?
seth at icir.org
Tue Nov 4 18:09:00 PST 2014
> On Nov 4, 2014, at 6:24 PM, Jeff Hammett <jeff at jeffhammett.com> wrote:
> Does Bro have this functionality? Or would it be feasible to write a script to do so? (I haven’t written any scripts yet, but am interested).
Even better, it's something that we ship with, it just needs to be enabled. We decided to have a default setting of not capturing passwords. If you run Bro through BroControl, add the following line to your local.bro and do the check/install/restart commands in broctl.
redef HTTP::default_capture_password = T;
It will be in a field in your http.log named "password". There will also be a field named "username".
> I think I would be most interested in detecting plain text passwords used for http logins, but wouldn’t mind monitoring for other protocols as well.
redef FTP::default_capture_password = T;
Channel passwords are logged by default for IRC too.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro