patch to Bro to detect the newly announced Solaris Telnet remote exploit
Vern Paxson
vern at icir.org
Wed Oct 2 21:37:37 PDT 2002
The following patch creates a new event, login_prompt, which you can then
examine in your policy script. The "right" approach would be to modify
Bro to send up the entire Telnet environment, since it's already extracting
$DISPLAY and $TERM as well as now $TTYPROMPT; but for expediency I just
added $TTYPROMPT as a separate event, similar to the other two.
This will be incorporated in the next "current" release.
Vern
*** Login.cc 2002/09/15 16:14:31 1.11
--- Login.cc 2002/10/03 00:13:16
***************
*** 348,353 ****
--- 348,363 ----
mgr.QueueEvent(login_display, vl);
}
+
+ else if ( login_prompt && streq(name, "TTYPROMPT") )
+ {
+ val_list* vl = new val_list;
+
+ vl->append(BuildConnVal());
+ vl->append(new StringVal(val));
+
+ mgr.QueueEvent(login_prompt, vl);
+ }
}
delete name;
*** NetVar.h 2002/10/01 23:45:17 1.68
--- NetVar.h 2002/10/03 00:13:46
***************
*** 134,139 ****
--- 134,140 ----
extern Func* login_confused_text;
extern Func* login_terminal;
extern Func* login_display;
+ extern Func* login_prompt;
extern Func* excessive_line;
extern Func* authentication_accepted;
*** NetVar.cc 2002/10/01 23:45:17 1.72
--- NetVar.cc 2002/10/03 00:13:54
***************
*** 130,135 ****
--- 130,136 ----
Func* login_confused_text;
Func* login_terminal;
Func* login_display;
+ Func* login_prompt;
Func* excessive_line;
Func* authentication_accepted;
***************
*** 393,398 ****
--- 394,400 ----
login_confused_text = internal_func("login_confused_text");
login_terminal = internal_func("login_terminal");
login_display = internal_func("login_display");
+ login_prompt = internal_func("login_prompt");
excessive_line = internal_func("excessive_line");
authentication_accepted = internal_func("authentication_accepted");
*** bro.init 2002/10/01 23:38:16 1.127
--- bro.init 2002/10/03 00:13:28
***************
*** 573,578 ****
--- 573,579 ----
global login_confused_text: event(c: connection, line: string);
global login_terminal: event(c: connection, terminal: string);
global login_display: event(c: connection, display: string);
+ global login_prompt: event(c: connection, prompt: string);
global excessive_line: event(c: connection);
global authentication_accepted: event(name: string, c: connection);
*** login.bro 2002/09/23 22:23:01 1.26
--- login.bro 2002/10/03 00:17:39
***************
*** 407,412 ****
--- 407,418 ----
hot_login(c, fmt("%s term %s", id_string(c$id), terminal), "trb");
}
+ event login_prompt(c: connection, prompt: string)
+ {
+ # Could check length >= 6, per Solaris exploit ...
+ hot_login(c, fmt("%s $TTYPROMPT %s", id_string(c$id), prompt), "trb");
+ }
+
event excessive_line(c: connection)
{
if ( is_login_conn(c) )
More information about the Bro
mailing list