[Bro-Dev] HTTP Sensitive POST bro policy

Jim Mellander jmellander at lbl.gov
Wed Apr 30 10:18:47 PDT 2014

Hi all:

For a number of reasons, I elected to write the attached bro policy,
which looks
at http POSTs and performs regular expression matching on the posted data.
The regular expression, by default, looks for the words password or passwd
in upper or lower case in an attempt to find HTTP authentications via
posted form.

Unlike the heartbleed stuff, it does not require a special version of
Bro, just @load it, will create notices of what it finds.

There are a few knobs that can be adjusted that are documented in the script.

The only problem with this script is that it is finding way too much -
there are way too many cleartext authentications going on.   If you
look at outbound traffic
 you just might see major corporations with security fails.....

​There's some additional tweaks I want to make to this script, but it
is usable as is.  I hope if you run this, there aren't too many
alarming​ results in your traffic.

Kudos to the first person who finds the minor inconsistency that I
elected not to address.

​Hope this helps,

​Jim Mellander

NERSC Cybersecurity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140430/956c5f01/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-sensitive_POSTs.bro
Type: application/octet-stream
Size: 2830 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140430/956c5f01/attachment.obj 

More information about the bro-dev mailing list