login
analyzer confusionBecause there is no well-defined protocol for Telnet authentication
(or Rlogin, if the initial
.rhosts
authentication fails), the login
analyzer employs a set
of heuristics to detect the username, password, and whether the authentication
attempt succeeded. All in all, these heuristics work quite well, but
it is possible for them to become confused and reach incorrect conclusions.
Bro attempts to detect such confusion. If it does, then it generates a
event, after which the event engine will no
longer attempt to follow the authentication dialog. In particular, it will
not generate subsequent login_failure
or
login_sucess
events. The login_confused
event includes
a string describing the type of confusion, using one of the values
given in the table below.
Type of confusion | Meaning
|
"excessive typeahead" | The user has typed ahead 12 or more lines. Deficiency: The upper bound
should be adjustable.
|
"extra repeat text" | The user has entered more than one VMS repeat sequence (an escape
followed by "[A") on the same line. Note: Bro determines
that a login session involves a VMS server if the server prompts with
"Username: ". It then interprets VMS repeat sequences as indicating
it should replace the current line with the previous line.
|
"multiple USERs" | The user has specified more than one username using the $USER environment
variable.
|
"multiple login prompts" | The analyzer has seen several login prompts on the same line, and has
not seen a corresponding number of lines typed ahead previously by the
user.
|
"no login prompt" | The analyzer has seen 50 lines sent by the server without any of them
matching login prompts. Deficiency: The value of 50 should be adjustable.
|
"no username" | The analyzer is generating an event after having already seen a login
failure, but the user's input has not provided another username to include
with the event. Note: If the analyzer's heuristics indicate it's okay that
no new username has been given, such as when the event is generated
due to one connection endpoint closing the connection, then it instead
uses the username <none> .
|
"no username2" | The analyzer saw an additional password prompt without seeing an intervening
username, and it has no previous username to reuse.
|
"non empty multi login" | The analyzer saw multiple adjacent login prompts, with an apparently
ignored intervening username typed-ahead between them.
|
"possible login ploy" | The client sent text thatmatches one of the patterns reflecting text usually
sent by the server. This form of confusion can reflect an attacker attempting
to evade the monitor. For example, the client may have sent the text
"login: as a username so that when echoed back by the server, the
analyzer would misinterpret it as reflecting another login prompt from
the server.
|
"repeat without username" | The user entered a VMS repeat sequence but there is no username to
repeat. (See extra repeat text for a discussion of the analyzer's
heuristics for dealing with VMS servers.)
|
"responder environment" | The responder (login server) has signaled a set of environment variables
to the originator (login client). This is in the opposite direction as to what
makes sense.
|
"username with embedded repeat" | The line repeated by a VMS server in response to a repeat sequence itself
contains a repeat sequence.
|
Table 7.4: Different types of confusion that login analyzer can report