Next: , Previous: login Analyzer, Up: login Analyzer



7.19.1 login analyzer confusion

Because there is no well-defined protocol for Telnet authentication (or Rlogin, if the initial .rhosts authentication fails), the login analyzer employs a set of heuristics to detect the username, password, and whether the authentication attempt succeeded. All in all, these heuristics work quite well, but it is possible for them to become confused and reach incorrect conclusions.

Bro attempts to detect such confusion. If it does, then it generates a event, after which the event engine will no longer attempt to follow the authentication dialog. In particular, it will not generate subsequent login_failure or login_sucess events. The login_confused event includes a string describing the type of confusion, using one of the values given in the table below.

Type of confusion Meaning
"excessive typeahead" The user has typed ahead 12 or more lines. Deficiency: The upper bound should be adjustable.
"extra repeat text" The user has entered more than one VMS repeat sequence (an escape followed by "[A") on the same line. Note: Bro determines that a login session involves a VMS server if the server prompts with "Username:". It then interprets VMS repeat sequences as indicating it should replace the current line with the previous line.
"multiple USERs" The user has specified more than one username using the $USER environment variable.
"multiple login prompts" The analyzer has seen several login prompts on the same line, and has not seen a corresponding number of lines typed ahead previously by the user.
"no login prompt" The analyzer has seen 50 lines sent by the server without any of them matching login prompts. Deficiency: The value of 50 should be adjustable.
"no username" The analyzer is generating an event after having already seen a login failure, but the user's input has not provided another username to include with the event. Note: If the analyzer's heuristics indicate it's okay that no new username has been given, such as when the event is generated due to one connection endpoint closing the connection, then it instead uses the username <none>.
"no username2" The analyzer saw an additional password prompt without seeing an intervening username, and it has no previous username to reuse.
"non empty multi login" The analyzer saw multiple adjacent login prompts, with an apparently ignored intervening username typed-ahead between them.
"possible login ploy" The client sent text thatmatches one of the patterns reflecting text usually sent by the server. This form of confusion can reflect an attacker attempting to evade the monitor. For example, the client may have sent the text "login: as a username so that when echoed back by the server, the analyzer would misinterpret it as reflecting another login prompt from the server.
"repeat without username" The user entered a VMS repeat sequence but there is no username to repeat. (See extra repeat text for a discussion of the analyzer's heuristics for dealing with VMS servers.)
"responder environment" The responder (login server) has signaled a set of environment variables to the originator (login client). This is in the opposite direction as to what makes sense.
"username with embedded repeat" The line repeated by a VMS server in response to a repeat sequence itself contains a repeat sequence.

Table 7.4: Different types of confusion that login analyzer can report