login_success event

Zeek
1

Hi,
I apologize in advance for the rough English.

Is someone has already successfully make the login_success (or login_failure) event work?
The event always returns : user= <none>, password=<timeout>.
Am i forgetting something?

I have take a look into the Analyzer code.
It seems that when the Login Analyzer get the first server command :
"OpenBSD/i386 (oof) (ttyp2)"
It tries to parse it like an authentication, and go in a LOGIN_STATE_CONFUSED.
Then, when the client is authenticating the analyzer does not see it.

I also asked for a tracker account, but have no return yet. I just want to share an Imap analyzer.

Best regards,
Nicolas

2

Is someone has already successfully make the login_success (or
login_failure) event work?
The event always returns : user= <none>, password=<timeout>.

(1) What version of Bro are you running?

(2) Do you really have plaintext telnet/rlogin traffic? (That's what the
    analyzer focuses on. It's very old.)

    Vern

3

Is someone has already successfully make the login_success (or
login_failure) event work?
The event always returns : user= <none>, password=<timeout>.

(1) What version of Bro are you running?

I am using the 2.1

(2) Do you really have plaintext telnet/rlogin traffic? (That's what the
     analyzer focuses on. It's very old.)

yes, in fact I think the problem is:
-the login analyzer try to match the coming command with some key words. If it matches, the analyzer raises an event or change the current state (or both).
-these key words have to be defined in a bro script, in lists like "login_success_msgs", "login_failure_msgs"...
-the login.bro doesn't exist anymore. So lists are not re-defined, and the matching method always return T (empty word match with every input line).
-consequence : the analyzer raises the login_success event for the first input line (whatever it is), and turn the current state to AUTHENTICATE.
-the login_success event leaves default user and password because it can not find theme into the input line.
-the bro login_success event is launched at a bad time with user=<none>, and password=<timeout>
-end of story :slight_smile:

It is a shame that so many bro scripts have disappeared after the version 1.5, what has happened?

Nicolas

4

I only had time and motivation to get as many ported as I did. The intent is to port many of the old ones over time, but it takes a lot of effort. If you would like to port the login script over to git master (creating a scripts/base/protocols/telnet directory perhaps?) I would certainly appreciate it. :slight_smile:

  .Seth

5

I have quickly tried to make the whole script work, but I had a lot of dependency errors. For now my bro script only makes the analyzer work.
I do not promise anything, but if I find time I will take a look once more.