[Bro] Bro Script to detect plain text passwords?
npratley at redhat.com
Tue Nov 4 18:29:47 PST 2014
Oh, I hadn't seen this before I sent my reply. Good to know, thanks.
On 11/05/2014 12:09 PM, Seth Hall wrote:
>> On Nov 4, 2014, at 6:24 PM, Jeff Hammett <jeff at jeffhammett.com> wrote:
>> Does Bro have this functionality? Or would it be feasible to write a script to do so? (I haven’t written any scripts yet, but am interested).
> Even better, it's something that we ship with, it just needs to be enabled. We decided to have a default setting of not capturing passwords. If you run Bro through BroControl, add the following line to your local.bro and do the check/install/restart commands in broctl.
> redef HTTP::default_capture_password = T;
> It will be in a field in your http.log named "password". There will also be a field named "username".
>> I think I would be most interested in detecting plain text passwords used for http logins, but wouldn’t mind monitoring for other protocols as well.
> For FTP:
> redef FTP::default_capture_password = T;
> Channel passwords are logged by default for IRC too.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
More information about the Bro