base/bif/plugins/Bro_Login.events.bif.bro
-
GLOBAL
| Namespace: | GLOBAL |
|---|---|
| Source File: | /scripts/base/bif/plugins/Bro_Login.events.bif.bro |
Summary
Events
activating_encryption: event |
Generated for Telnet sessions when encryption is activated. |
authentication_accepted: event |
Generated when a Telnet authentication has been successful. |
authentication_rejected: event |
Generated when a Telnet authentication has been unsuccessful. |
authentication_skipped: event |
Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed. |
bad_option: event |
Generated for an ill-formed or unrecognized Telnet option. |
bad_option_termination: event |
Generated for a Telnet option that’s incorrectly terminated. |
inconsistent_option: event |
Generated for an inconsistent Telnet option. |
login_confused: event |
Generated when tracking of Telnet/Rlogin authentication failed. |
login_confused_text: event |
Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. |
login_display: event |
Generated for clients transmitting an X11 DISPLAY in a Telnet session. |
login_failure: event |
Generated for Telnet/Rlogin login failures. |
login_input_line: event |
Generated for lines of input on Telnet/Rlogin sessions. |
login_output_line: event |
Generated for lines of output on Telnet/Rlogin sessions. |
login_prompt: event |
Generated for clients transmitting a terminal prompt in a Telnet session. |
login_success: event |
Generated for successful Telnet/Rlogin logins. |
login_terminal: event |
Generated for clients transmitting a terminal type in a Telnet session. |
rsh_reply: event |
Generated for client side commands on an RSH connection. |
rsh_request: event |
Generated for client side commands on an RSH connection. |
Detailed Interface
Events
-
activating_encryption Type: event(c:connection)Generated for Telnet sessions when encryption is activated. The Telnet protocol includes options for negotiating encryption. When such a series of options is successfully negotiated, the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
C: The connection. See also:
authentication_accepted,authentication_rejected,authentication_skipped,login_confused,login_confused_text,login_display,login_failure,login_input_line,login_output_line,login_prompt,login_success,login_terminal
-
authentication_accepted Type: event(name:string, c:connection)Generated when a Telnet authentication has been successful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it accepts the authentication, then the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
Name: The authenticated name. C: The connection. See also:
authentication_rejected,authentication_skipped,login_successNote
This event inspects the corresponding Telnet option while
login_successheuristically determines success by watching session data.Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
authentication_rejected Type: event(name:string, c:connection)Generated when a Telnet authentication has been unsuccessful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it did not accept the authentication, then the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
Name: The attempted authentication name. C: The connection. See also:
authentication_accepted,authentication_skipped,login_failureNote
This event inspects the corresponding Telnet option while
login_successheuristically determines failure by watching session data.Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
authentication_skipped Type: event(c:connection)Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.
See Wikipedia for more information about the Telnet protocol.
C: The connection. See also:
authentication_accepted,authentication_rejected,direct_login_prompts,get_login_state,login_failure_msgs,login_non_failure_msgs,login_prompts,login_success_msgs,login_timeouts,set_login_stateNote
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying activity. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
bad_option Type: event(c:connection)Generated for an ill-formed or unrecognized Telnet option.
See Wikipedia for more information about the Telnet protocol.
C: The connection. See also:
inconsistent_option,bad_option_termination,authentication_accepted,authentication_rejected,authentication_skipped,login_confused,login_confused_text,login_display,login_failure,login_input_line,login_output_line,login_prompt,login_success,login_terminalTodo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
bad_option_termination Type: event(c:connection)Generated for a Telnet option that’s incorrectly terminated.
See Wikipedia for more information about the Telnet protocol.
C: The connection. See also:
inconsistent_option,bad_option,authentication_accepted,authentication_rejected,authentication_skipped,login_confused,login_confused_text,login_display,login_failure,login_input_line,login_output_line,login_prompt,login_success,login_terminalTodo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
inconsistent_option Type: event(c:connection)Generated for an inconsistent Telnet option. Telnet options are specified by the client and server stating which options they are willing to support vs. which they are not, and then instructing one another which in fact they should or should not use for the current connection. If the event engine sees a peer violate either what the other peer has instructed it to do, or what it itself offered in terms of options in the past, then the engine generates this event.
See Wikipedia for more information about the Telnet protocol.
C: The connection. See also:
bad_option,bad_option_termination,authentication_accepted,authentication_rejected,authentication_skipped,login_confused,login_confused_text,login_display,login_failure,login_input_line,login_output_line,login_prompt,login_success,login_terminal
-
login_confused Type: event(c:connection, msg:string, line:string)Generated when tracking of Telnet/Rlogin authentication failed. As Bro’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.
C: The connection. Msg: Gives the particular problem the heuristics detected (for example, multiple_login_promptsmeans that the engine saw several login prompts in a row, without the type-ahead from the client side presumed necessary to cause them)Line: The line of text that caused the heuristics to conclude they were confused. See also:
login_confused_text,login_display,login_failure,login_input_line,login_output_line,login_prompt,login_success,login_terminal,direct_login_prompts,get_login_state,login_failure_msgs,login_non_failure_msgs,login_prompts,login_success_msgs,login_timeouts,set_login_stateTodo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
login_confused_text Type: event(c:connection, line:string)Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. The login analyzer generates this even for every line of user input after it has reported
login_confusedfor a connection.C: The connection. Line: The line the user typed. See also:
login_confused,login_display,login_failure,login_input_line,login_output_line,login_prompt,login_success,login_terminal,direct_login_prompts,get_login_state,login_failure_msgs,login_non_failure_msgs,login_prompts,login_success_msgs,login_timeouts,set_login_stateTodo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
login_display Type: event(c:connection, display:string)Generated for clients transmitting an X11 DISPLAY in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
C: The connection. Display: The DISPLAY transmitted. See also:
login_confused,login_confused_text,login_failure,login_input_line,login_output_line,login_prompt,login_success,login_terminalTodo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
login_failure Type: event(c:connection, user:string, client_user:string, password:string, line:string)Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.
C: The connection. User: The user name tried. Client_user: For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts). Password: The password tried. Line: The line of text that led the analyzer to conclude that the authentication had failed. See also:
login_confused,login_confused_text,login_display,login_input_line,login_output_line,login_prompt,login_success,login_terminal,direct_login_prompts,get_login_state,login_failure_msgs,login_non_failure_msgs,login_prompts,login_success_msgs,login_timeouts,set_login_stateNote
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
login_input_line Type: event(c:connection, line:string)Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
C: The connection. Line: The input line. See also:
login_confused,login_confused_text,login_display,login_failure,login_output_line,login_prompt,login_success,login_terminal,rsh_requestTodo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
login_output_line Type: event(c:connection, line:string)Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
C: The connection. Line: The ouput line. See also:
login_confused,login_confused_text,login_display,login_failure,login_input_line,login_prompt,login_success,login_terminal,rsh_replyTodo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
login_prompt Type: event(c:connection, prompt:string)Generated for clients transmitting a terminal prompt in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
See Wikipedia for more information about the Telnet protocol.
C: The connection. Prompt: The TTYPROMPT transmitted. See also:
login_confused,login_confused_text,login_display,login_failure,login_input_line,login_output_line,login_success,login_terminalTodo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
login_success Type: event(c:connection, user:string, client_user:string, password:string, line:string)Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.
C: The connection. User: The user name used. Client_user: For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts). Password: The password used. Line: The line of text that led the analyzer to conclude that the authentication had succeeded. See also:
login_confused,login_confused_text,login_display,login_failure,login_input_line,login_output_line,login_prompt,login_terminal,direct_login_prompts,get_login_state,login_failure_msgs,login_non_failure_msgs,login_prompts,login_success_msgs,login_timeouts,set_login_stateNote
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
login_terminal Type: event(c:connection, terminal:string)Generated for clients transmitting a terminal type in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
C: The connection. Terminal: The TERM value transmitted. See also:
login_confused,login_confused_text,login_display,login_failure,login_input_line,login_output_line,login_prompt,login_successTodo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to
Analyzer::register_for_portsor a DPD payload signature.
-
rsh_reply Type: event(c:connection, client_user:string, server_user:string, line:string)Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
C: The connection. Client_user: The client-side user name as sent in the initial protocol handshake. Server_user: The server-side user name as sent in the initial protocol handshake. Line: The command line sent in the request. See also:
rsh_request,login_confused,login_confused_text,login_display,login_failure,login_input_line,login_output_line,login_prompt,login_success,login_terminalNote
For historical reasons, these events are separate from the
login_events. Ideally, they would all be handled uniquely.Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
-
rsh_request Type: event(c:connection, client_user:string, server_user:string, line:string, new_session:bool)Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
C: The connection. Client_user: The client-side user name as sent in the initial protocol handshake. Server_user: The server-side user name as sent in the initial protocol handshake. Line: The command line sent in the request. New_session: True if this is the first command of the Rsh session. See also:
rsh_reply,login_confused,login_confused_text,login_display,login_failure,login_input_line,login_output_line,login_prompt,login_success,login_terminalNote
For historical reasons, these events are separate from the
login_events. Ideally, they would all be handled uniquely.Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
