[Bro] login_success event
nicolas.retrain at cea.fr
nicolas.retrain at cea.fr
Fri Apr 12 00:46:25 PDT 2013
Le 12/04/2013 07:52, Vern Paxson a écrit :
>> Is someone has already successfully make the login_success (or
>> login_failure) event work?
>> The event always returns : user= <none>, password=<timeout>.
> (1) What version of Bro are you running?
I am using the 2.1
>
> (2) Do you really have plaintext telnet/rlogin traffic? (That's what the
> analyzer focuses on. It's very old.)
yes, in fact I think the problem is:
-the login analyzer try to match the coming command with some key words.
If it matches, the analyzer raises an event or change the current state
(or both).
-these key words have to be defined in a bro script, in lists like
"login_success_msgs", "login_failure_msgs"...
-the login.bro doesn't exist anymore. So lists are not re-defined, and
the matching method always return T (empty word match with every input
line).
-consequence : the analyzer raises the login_success event for the first
input line (whatever it is), and turn the current state to AUTHENTICATE.
-the login_success event leaves default user and password because it can
not find theme into the input line.
-the bro login_success event is launched at a bad time with user=<none>,
and password=<timeout>
-end of story :)
It is a shame that so many bro scripts have disappeared after the
version 1.5, what has happened?
Nicolas
> Vern
More information about the Bro
mailing list