[Bro] Telnet log
Vlad Grigorescu
vladg at illinois.edu
Fri Apr 22 09:54:47 PDT 2016
Mayyyybe...?
There's an older Login analyzer which claims to have support for
Telnet, but I personally haven't used it, so I don't know how well it
would work. I believe that it was pretty thorough, it just hasn't been
used in a while.
The events you're looking for are:
https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_Login.events.bif.bro.html#id-login_output_line
https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_Login.events.bif.bro.html#id-login_input_line
However, as the TODO states, this protocol analyzer does not get
activated in Bro 2.x. A copy of the script that Bro used to use is here,
though it's a mess and would require porting and cleanup:
https://github.com/grigorescu/bro-scripts/blob/master/scripts/todo/needs_review/login.bro
I might start with something like this, run it against some PCAPs and
then start building a log from there:
> const ports = { 23/tcp };
>
> event bro_init() &priority=5
> {
> Analyzer::register_for_ports(Analyzer::ANALYZER_LOGIN, ports);
> }
>
> event login_input_line(c: connection, line: string)
> {
> print "<-", line;
> }
>
> event login_output_line(c: connection, line: string)
> {
> print "->", line;
> }
--Vlad
john smith <js688886 at gmail.com> writes:
> Hello,
>
> With 2.4.1, is there any way to generate Telnet logs? Thanks in advance!
>
> John
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160422/6212500f/attachment.bin
More information about the Bro
mailing list