# $Id: rsh.bro,v 1.1 2004/11/02 07:51:22 vern Exp $
@load conn
@load login
redef capture_filters += { ["rsh"] = "tcp port 514" };
redef enum Notice += {
# RSH client username and server username differ.
DifferentRSH_Usernames,
# Attempt to authenticate via RSH failed.
FailedRSH_Authentication,
# RSH session appears to be interactive - multiple lines of
# user commands.
InteractiveRSH,
SensitiveRSH_Input,
SensitiveRSH_Output,
};
module RSH;
export {
const failure_msgs =
/^Permission denied/
> /Login failed/
&redef;
}
type rsh_session_info: record {
client_user: string;
server_user: string;
initial_cmd: string;
output_line: count; # number of lines seen
};
global rsh_sessions: table[conn_id] of rsh_session_info;
function new_rsh_session(c: connection, client_user: string,
server_user: string, line: string)
{
if ( c$id in rsh_sessions )
delete rsh_sessions[c$id];
local s: rsh_session_info;
s$client_user = client_user;
s$server_user = server_user;
s$initial_cmd = line;
s$output_line = 0;
rsh_sessions[c$id] = s;
}
event rsh_request(c: connection, client_user: string, server_user: string,
line: string, new: bool)
{
local id = c$id;
local BS_line = edit(line, BS);
local DEL_line = edit(line, DEL);
if ( new )
{
new_rsh_session(c, client_user, server_user, line);
if ( client_user != server_user )
NOTICE([$note=DifferentRSH_Usernames, $conn=c,
$msg=fmt("differing client/server usernames (%s/%s)",
client_user, server_user),
$sub=client_user, $user=server_user]);
}
local s = rsh_sessions[c$id];
if ( s$output_line > 0 )
NOTICE([$note=InteractiveRSH, $conn=c,
$msg="interactive RSH session, input following output",
$sub=s$client_user, $user=s$server_user]);
if ( input_trouble in line ||
input_trouble in BS_line || input_trouble in DEL_line ||
line == full_input_trouble )
NOTICE([$note=SensitiveRSH_Input, $conn=c,
$msg=line, $sub=s$client_user, $user=s$server_user]);
}
event rsh_reply(c: connection, client_user: string, server_user: string,
line: string)
{
local s = rsh_sessions[c$id];
if ( line != "" && ++s$output_line == 1 && failure_msgs in line )
NOTICE([$note=FailedRSH_Authentication, $conn=c,
$msg=line, $sub=s$client_user, $user=s$server_user]);
if ( output_trouble in line || line == full_output_trouble )
NOTICE([$note=SensitiveRSH_Output, $conn=c,
$msg=line, $sub=s$client_user, $user=s$server_user]);
}