I recently demo’d Tenable’s Passive Vulnerability Scanner, but found that it wasn’t a good fit for my environment. However it did have one nice feature I liked, the ability to detect passwords sent in plain text.
Does Bro have this functionality? Or would it be feasible to write a script to do so? (I haven’t written any scripts yet, but am interested).
I think I would be most interested in detecting plain text passwords used for http logins, but wouldn’t mind monitoring for other protocols as well.
Jeff
Absolutely. This is something well suited for Bro’s policy scripts.
-AK
Does Bro have this functionality? Or would it be feasible to write a script to do so? (I haven’t written any scripts yet, but am interested).
Even better, it's something that we ship with, it just needs to be enabled. We decided to have a default setting of not capturing passwords. If you run Bro through BroControl, add the following line to your local.bro and do the check/install/restart commands in broctl.
redef HTTP::default_capture_password = T;
It will be in a field in your http.log named "password". There will also be a field named "username".
I think I would be most interested in detecting plain text passwords used for http logins, but wouldn’t mind monitoring for other protocols as well.
For FTP:
redef FTP::default_capture_password = T;
Channel passwords are logged by default for IRC too.
.Seth
Oh, I hadn't seen this before I sent my reply. Good to know, thanks.
Thanks! This is what I was looking for. One more question, how would I go about logging an entry in the notice.log when plaintext passwords are discovered?