[Bro] rsh.bro (inadvertently missing from 0.9a8)

Vern Paxson vern at icir.org
Fri Feb 25 13:00:50 PST 2005 

# $Id: rsh.bro,v 1.1 2004/11/02 07:51:22 vern Exp $

@load conn
@load login

redef capture_filters += { ["rsh"] = "tcp port 514" };

redef enum Notice += {
	# RSH client username and server username differ.
	DifferentRSH_Usernames,

	# Attempt to authenticate via RSH failed.
	FailedRSH_Authentication,

	# RSH session appears to be interactive - multiple lines of
	# user commands.
	InteractiveRSH,

	SensitiveRSH_Input,
	SensitiveRSH_Output,
};

module RSH;

export {
	const failure_msgs =
		  /^Permission denied/
		| /Login failed/
	&redef;
}

type rsh_session_info: record {
        client_user: string;
        server_user: string;
	initial_cmd: string;
        output_line: count;     # number of lines seen
};

global rsh_sessions: table[conn_id] of rsh_session_info;

function new_rsh_session(c: connection, client_user: string,
			 server_user: string, line: string)
	{
	if ( c$id in rsh_sessions )
		delete rsh_sessions[c$id];

	local s: rsh_session_info;
	s$client_user = client_user;
	s$server_user = server_user;
	s$initial_cmd = line;
        s$output_line = 0;

	rsh_sessions[c$id] = s;
	}

event rsh_request(c: connection, client_user: string, server_user: string,
		  line: string, new: bool)
	{
	local id = c$id;

	local BS_line = edit(line, BS);
       	local DEL_line = edit(line, DEL);

	if ( new )
		{
		new_rsh_session(c, client_user, server_user, line);

		if ( client_user != server_user )
			NOTICE([$note=DifferentRSH_Usernames, $conn=c,
				$msg=fmt("differing client/server usernames (%s/%s)",
					client_user, server_user),
				$sub=client_user, $user=server_user]);
		}

	local s = rsh_sessions[c$id];
	if ( s$output_line > 0 )
		NOTICE([$note=InteractiveRSH, $conn=c,
			$msg="interactive RSH session, input following output",
			$sub=s$client_user, $user=s$server_user]);

	if ( input_trouble in line ||
	     input_trouble in BS_line || input_trouble in DEL_line ||
	     line == full_input_trouble )
		NOTICE([$note=SensitiveRSH_Input, $conn=c,
			$msg=line, $sub=s$client_user, $user=s$server_user]);
	}

event rsh_reply(c: connection, client_user: string, server_user: string,
		line: string)
	{
	local s = rsh_sessions[c$id];

        if ( line != "" && ++s$output_line == 1 && failure_msgs in line )
		NOTICE([$note=FailedRSH_Authentication, $conn=c,
			$msg=line, $sub=s$client_user, $user=s$server_user]);

	if ( output_trouble in line || line == full_output_trouble )
		NOTICE([$note=SensitiveRSH_Output, $conn=c,
			$msg=line, $sub=s$client_user, $user=s$server_user]);
	}

More information about the Bro mailing list