forked from sethhall/bro-scripts
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathsimple-clear-passwords.bro
54 lines (42 loc) · 1.37 KB
/
simple-clear-passwords.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
redef capture_filters += { ["pop3"] = "port 110" };
global pop3_ports = { 110/tcp } &redef;
redef dpd_config += { [ANALYZER_POP3] = [$ports = pop3_ports] };
module ClearPasswords;
export {
global clear_log_file = open_log_file("clear-password-users") &raw_output;
global seen_clear_users: set[addr, string] &create_expire=1day &synchronized &persistent;
}
event pop3_request(c: connection, is_orig: bool, command: string, arg: string)
{
}
function log_clear_pw(c: connection, status: string, user: string)
{
if(is_local_addr(c$id$orig_h))
return;
if([c$id$orig_h, user] in seen_clear_users)
return;
add seen_clear_users[c$id$orig_h, user];
local loc = lookup_location(c$id$orig_h);
when( local hostname = lookup_addr(c$id$orig_h) ){
print clear_log_file, cat_sep("\t", "\\N",
network_time(),
c$id$orig_h,
c$id$resp_h,
port_to_count(c$id$resp_p),
hostname,
loc$country_code,
loc$region,
"success",
user);
}
}
event pop3_login_success(c: connection, is_orig: bool,
user: string, password: string)
{
log_clear_pw(c, "success", user);
}
event pop3_login_failure(c: connection, is_orig: bool,
user: string, password: string)
{
log_clear_pw(c, "failure", user);
}