login
variablesThe standard script defines a large number of variables for refining the analysis policy:
input_trouble : pattern
The analyzer searches for these patterns both in the raw text typed
by the user and the same lines after applying editing
using the edit
function twice: once with interpreting
BS (ctrl-H) as delete-one-character, and once with DEL
as the edit character. If any of these matches, then the analyzer
considers the pattern to have matched.
eggdrop
Default: a pattern matching occurrences of the strings
“rewt
”,
“eggdrop
”,
“loadmodule
”, or
“/bin/eject
”. The first of these is a popular username attackers
use for root backdoor accounts. The second reflects that one prevalent
class of attackers are devotees of Internet Relay Chat (IRC), who
frequently upon breaking into an account install the IRC eggdrop
utility.
edited_input_trouble : pattern
input_trouble
except the analyzer only checks the edited
user input against the pattern, not the raw input (see above).
This variable is provided so you can specify patterns that can occur innocuously as typos; whenever the user corrects the typo before terminating the line, the pattern won't match, because it won't be present in the edited version of the line. In addition, for matches to these patterns, the analyzer delays reporting the match until it sees the next line of output from the server. It then includes both the line that triggered the match and the corresponding response from the server, which makes it easy for a human inspecting the logs to tell if the occurrence of the pattern was in fact innocuous.
Here's an example of an innocuous report:
936723303.760483 1.2.3.4/21550 > 5.6.7.8/telnet input "cd ..." yielded output "ksh: ...: not found."
It was flagged because the user's input included
“...
”, a name commonly used by attackers to surreptitiously
hide a directory containing their tools and the like. However, we
see from the Telnet server's response that this was not actual access
to such a directory, but merely a typing mistake.
On the other hand:
937528764.579039 1.2.3.4/3834 > 5.6.7.8/telnet input "cd ..." yielded output "maroon# ftp sunspot.sunspot.noao.edu "
shows a problem—the lines returned by the server was a root
prompt (“maroon#
”), to which the user issued a command to
access a remote FTP server.
Deficiency: The analyzer should decouple the notion of waiting to receive the server's reply from the notion of matching only the edited form of the line; there might be raw inputs for which it is useful to see the server's response, and edited inputs for which the server's response is unimportant in terms of knowing that the input spells trouble.
Default: the pattern
/[ \t]*cd[ \t]+((['"]?\.\.\.)|(["'](\.[^"']*)[ \t]))/
which looks for a “cd
” command to either a directory beginning
with “...
” (optionally quoted by the user) or a directory
name beginning with “.
” that is quoted and includes an
embedded blank or tab.
output_trouble : pattern
PATH_UTMP sensitive pattern
smashdu.c exploit tool
Default: the pattern
/^-r.s.*root.*\/bin\/(sh|csh|tcsh)/ | /Jumping to address/ | /smashdu\.c/ | /PATH_UTMP/ | /Log started at =/ | /www\.anticode\.com/ | /smurf\.c by TFreak/ | /Trojaning in progress/ | /Super Linux Xploit/
The first of these triggers any time the user inspects with the
ls utility an executable whose pathname ends in /bin/
followed
by one of the popular command shells, and the ls output shows
that the command shell has been altered to be setuid to root.
The remainder match either the output generated by some popular
exploit tools (for example, “Jumping to address
”, present
in many buffer overflow exploit tools), exploit tool names (“smashdu.c
”),
text found within the tool source code (“smurf.c by TFreak
”),
or URLs accessed (say via the lynx or fetch utilities)
to retrieve attack software (“www.anticode.com
”).
backdoor_prompts : pattern
Default: the pattern “/^[!-~]*( ?)[#%$] /
”, which matches
a line that begins with a series of printable, non-blank characters and
ends with a likely prompt character, with a blank just after
the prompt character and perhaps before it.
non_backdoor_prompts : pattern
backdoor_prompts
.
Default: the pattern “/^ *#.*#/
”, which catches lines with
more than one occurrence of a #
. Some servers generate such
lines as part of their welcome banner.
hot_terminal_types : pattern
xterm
”); these backdoors trigger and skip
authentication if the name has a particular value.
VT666
Default: the name “VT666
”, one of the trigger terminal types
we've observed in practice.
hot_telnet_orig_ports : set[port]
Default: 53982/tcp
, one of the trigger ports we have observed
in practice.
Deficiency: There should be a corresponding variable for Rlogin backdoors triggered by a similar mechanism.
hot_ssh_orig_ports : set[port]
hot_telnet_orig_ports
, only for SSH.
Default: 31337/tcp
, a trigger port that we've observed in practice.
skip_authentication : set[string]
Default: the string "WELCOME TO THE BERKELEY PUBLIC LIBRARY"
,
which corresponds to a frequently accessed public server in the
Berkeley area. (Obviously, we include this default as an example,
and not because it will be appropriate for most Bro users! But it
does little harm to include it.)
Deficiency: It would be more natural if this variable and a number of others listed below were of type pattern
rather than set[string]
. They are actually converted internally by the event engine into regular expressions.
direct_login_prompts : set[string]
Default: "TERMINAL?"
, a prompt used by some terminal servers.
login_prompts : set[string]
A set of strings corresponding to login username prompts during an authentication
dialog.
Default: the strings
Login: login: Name: Username: User: Member Name
and the default contents of direct_login_prompts
.
login_failure_msgs : set[string]
Default: the strings
invalid Invalid incorrect Incorrect failure Failure, User authorization failure, Login failed, INVALID Sorry, Sorry.
login_non_failure_msgs : set[string]
login_failure_msgs
that if present mean that the
server text does not actually correspond to an authentication failure
(i.e., if login_failure_msgs
also matches, it's a false
positive).
Default: the strings
Failures failures failure since last successful login failures since last successful login
router_prompts : set[string]
Default: empty.
login_success_msgs : set[string]
Default: the strings
Last login Last successful login Last successful login checking for disk quotas unsuccessful login attempts failure since last successful login failures since last successful login
and the default contents of the router_prompts
variable.
Deficiency: Since by default router_prompts
is empty, this last inclusion does nothing. In particular, if you redefine router_prompts
then login_success_msgs
will not pick up the change; you will need to redefine it to (again) include router_prompts
, using: redef login_success_msgs += router_prompts. This is clearly a misfeature of Bro and will be fixed one fine day.
login_timeouts : set[string]
Default: the strings
timeout timed out Timeout Timed out Error reading command input
(This last is returned by the VMS operating system.)
non_ASCII_hosts : set[addr]
excessive_line
).
Default: empty.
skip_logins_to : set[addr]
Default: the (empty) contents of non_ASCII_hosts
.
always_hot_login_ids : set[string]
A set of usernamesDefault: the value of always_hot_ids
defined by the
hot
analyzer.
hot_login_ids : set[string]
Default: the value of hot_ids
defined by the
hot-ids
analyzer.
rlogin_id_okay_if_no_password_exposed : set[string]
hot_login_ids
which the
analyzer should not flag as sensitive if the user authenticated without
exposing a password (so, for example, via .rhosts
).
Default: the username "root"
.