rsh.bro (inadvertently missing from 0.9a8)

Vern · February 25, 2005, 9:00pm

# $Id: rsh.bro,v 1.1 2004/11/02 07:51:22 vern Exp $

@load conn
@load login

redef capture_filters += { ["rsh"] = "tcp port 514" };

redef enum Notice += {
# RSH client username and server username differ.
DifferentRSH_Usernames,

# Attempt to authenticate via RSH failed.
FailedRSH_Authentication,

  # RSH session appears to be interactive - multiple lines of
  # user commands.
  InteractiveRSH,

SensitiveRSH_Input,
SensitiveRSH_Output,
};

module RSH;

export {
  const failure_msgs =
      /^Permission denied/
    > /Login failed/
  &redef;
}

type rsh_session_info: record {
        client_user: string;
        server_user: string;
  initial_cmd: string;
        output_line: count; # number of lines seen
};

global rsh_sessions: table[conn_id] of rsh_session_info;

function new_rsh_session(c: connection, client_user: string,
       server_user: string, line: string)
  {
  if ( c$id in rsh_sessions )
    delete rsh_sessions[c$id];

  local s: rsh_session_info;
  s$client_user = client_user;
  s$server_user = server_user;
  s$initial_cmd = line;
        s$output_line = 0;

rsh_sessions[c$id] = s;
}

event rsh_request(c: connection, client_user: string, server_user: string,
      line: string, new: bool)
  {
  local id = c$id;

local BS_line = edit(line, BS);
local DEL_line = edit(line, DEL);

  if ( new )
    {
    new_rsh_session(c, client_user, server_user, line);

    if ( client_user != server_user )
      NOTICE([$note=DifferentRSH_Usernames, $conn=c,
        $msg=fmt("differing client/server usernames (%s/%s)",
          client_user, server_user),
        $sub=client_user, $user=server_user]);
    }

  local s = rsh_sessions[c$id];
  if ( s$output_line > 0 )
    NOTICE([$note=InteractiveRSH, $conn=c,
      $msg="interactive RSH session, input following output",
      $sub=s$client_user, $user=s$server_user]);

  if ( input_trouble in line ||
       input_trouble in BS_line || input_trouble in DEL_line ||
       line == full_input_trouble )
    NOTICE([$note=SensitiveRSH_Input, $conn=c,
      $msg=line, $sub=s$client_user, $user=s$server_user]);
  }

event rsh_reply(c: connection, client_user: string, server_user: string,
    line: string)
  {
  local s = rsh_sessions[c$id];

        if ( line != "" && ++s$output_line == 1 && failure_msgs in line )
    NOTICE([$note=FailedRSH_Authentication, $conn=c,
      $msg=line, $sub=s$client_user, $user=s$server_user]);

  if ( output_trouble in line || line == full_output_trouble )
    NOTICE([$note=SensitiveRSH_Output, $conn=c,
      $msg=line, $sub=s$client_user, $user=s$server_user]);
  }

Topic		Replies	Views
passwords.bro (inadvertently missing from 0.9a8) Zeek	1	49	May 6, 2022
Field value missing Zeek	5	157	May 6, 2022
broclient and NOTICE() Zeek	4	81	May 6, 2022
Question about duplicate traffic with load balancing and SSH::Password_Guessing Zeek	2	52	May 6, 2022
Question on quick start documentation SSH:Login example. Zeek	10	58	May 6, 2022

rsh.bro (inadvertently missing from 0.9a8)

Related Topics