[Bro] [PROVENANCE INTERNET] login_success event
nicolas.retrain at cea.fr
nicolas.retrain at cea.fr
Wed Apr 10 23:52:18 PDT 2013
Le 10/04/2013 09:34, nicolas.retrain at cea.fr a écrit :
> Hi,
> I apologize in advance for the rough English.
>
> Is someone has already successfully make the login_success (or
> login_failure) event work?
> The event always returns : user= <none>, password=<timeout>.
> Am i forgetting something?
If anyone wants the solution :
I fix it out using a copy paste of the old login.bro script from 1.5 BRO
IDS. Only the part to set :
* skip_authentication
* direct_login_prompts
* login_prompts
* login_non_failure_msgs
* login_failure_msgs
* login_success_msgs
* login_timeout
Now, login events work well :)
>
>
> I have take a look into the Analyzer code.
> It seems that when the Login Analyzer get the first server command :
> "OpenBSD/i386 (oof) (ttyp2)"
> It tries to parse it like an authentication, and go in a
> LOGIN_STATE_CONFUSED.
> Then, when the client is authenticating the analyzer does not see it.
>
> I also asked for a tracker account, but have no return yet. I just want
> to share an Imap analyzer.
Thanks for the account
>
> Best regards,
> Nicolas
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130411/f0caae1e/attachment.html
More information about the Bro
mailing list