[Bro] Bro Script to detect plain text passwords?
Nick Pratley
npratley at redhat.com
Tue Nov 4 18:29:47 PST 2014
Oh, I hadn't seen this before I sent my reply. Good to know, thanks.
On 11/05/2014 12:09 PM, Seth Hall wrote:
>
>> On Nov 4, 2014, at 6:24 PM, Jeff Hammett <jeff at jeffhammett.com> wrote:
>>
>> Does Bro have this functionality? Or would it be feasible to write a script to do so? (I haven’t written any scripts yet, but am interested).
>
> Even better, it's something that we ship with, it just needs to be enabled. We decided to have a default setting of not capturing passwords. If you run Bro through BroControl, add the following line to your local.bro and do the check/install/restart commands in broctl.
>
> redef HTTP::default_capture_password = T;
>
> It will be in a field in your http.log named "password". There will also be a field named "username".
>
>> I think I would be most interested in detecting plain text passwords used for http logins, but wouldn’t mind monitoring for other protocols as well.
>
> For FTP:
> redef FTP::default_capture_password = T;
>
> Channel passwords are logged by default for IRC too.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list