GLOBAL
¶Namespace: | GLOBAL |
---|---|
Source File: | /scripts/base/bif/plugins/Bro_Login.events.bif.bro |
activating_encryption : event |
Generated for Telnet sessions when encryption is activated. |
authentication_accepted : event |
Generated when a Telnet authentication has been successful. |
authentication_rejected : event |
Generated when a Telnet authentication has been unsuccessful. |
authentication_skipped : event |
Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed. |
bad_option : event |
Generated for an ill-formed or unrecognized Telnet option. |
bad_option_termination : event |
Generated for a Telnet option that’s incorrectly terminated. |
inconsistent_option : event |
Generated for an inconsistent Telnet option. |
login_confused : event |
Generated when tracking of Telnet/Rlogin authentication failed. |
login_confused_text : event |
Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. |
login_display : event |
Generated for clients transmitting an X11 DISPLAY in a Telnet session. |
login_failure : event |
Generated for Telnet/Rlogin login failures. |
login_input_line : event |
Generated for lines of input on Telnet/Rlogin sessions. |
login_output_line : event |
Generated for lines of output on Telnet/Rlogin sessions. |
login_prompt : event |
Generated for clients transmitting a terminal prompt in a Telnet session. |
login_success : event |
Generated for successful Telnet/Rlogin logins. |
login_terminal : event |
Generated for clients transmitting a terminal type in a Telnet session. |
rsh_reply : event |
Generated for client side commands on an RSH connection. |
rsh_request : event |
Generated for client side commands on an RSH connection. |
activating_encryption
¶Type: | event (c: connection ) |
---|
Generated for Telnet sessions when encryption is activated. The Telnet protocol includes options for negotiating encryption. When such a series of options is successfully negotiated, the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|
See also: authentication_accepted
, authentication_rejected
, authentication_skipped
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
authentication_accepted
¶Type: | event (name: string , c: connection ) |
---|
Generated when a Telnet authentication has been successful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it accepts the authentication, then the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
Name: | The authenticated name. |
---|---|
C: | The connection. |
See also: authentication_rejected
, authentication_skipped
, login_success
Note
This event inspects the corresponding Telnet option
while login_success
heuristically determines success by watching
session data.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
authentication_rejected
¶Type: | event (name: string , c: connection ) |
---|
Generated when a Telnet authentication has been unsuccessful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it did not accept the authentication, then the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
Name: | The attempted authentication name. |
---|---|
C: | The connection. |
See also: authentication_accepted
, authentication_skipped
, login_failure
Note
This event inspects the corresponding Telnet option
while login_success
heuristically determines failure by watching
session data.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
authentication_skipped
¶Type: | event (c: connection ) |
---|
Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|
See also: authentication_accepted
, authentication_rejected
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying activity. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
bad_option
¶Type: | event (c: connection ) |
---|
Generated for an ill-formed or unrecognized Telnet option.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|
See also: inconsistent_option
, bad_option_termination
, authentication_accepted
, authentication_rejected
, authentication_skipped
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
bad_option_termination
¶Type: | event (c: connection ) |
---|
Generated for a Telnet option that’s incorrectly terminated.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|
See also: inconsistent_option
, bad_option
, authentication_accepted
, authentication_rejected
, authentication_skipped
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
inconsistent_option
¶Type: | event (c: connection ) |
---|
Generated for an inconsistent Telnet option. Telnet options are specified by the client and server stating which options they are willing to support vs. which they are not, and then instructing one another which in fact they should or should not use for the current connection. If the event engine sees a peer violate either what the other peer has instructed it to do, or what it itself offered in terms of options in the past, then the engine generates this event.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|
See also: bad_option
, bad_option_termination
, authentication_accepted
, authentication_rejected
, authentication_skipped
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
login_confused
¶Type: | event (c: connection , msg: string , line: string ) |
---|
Generated when tracking of Telnet/Rlogin authentication failed. As Bro’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.
C: | The connection. |
---|---|
Msg: | Gives the particular problem the heuristics detected (for example,
multiple_login_prompts means that the engine saw several login
prompts in a row, without the type-ahead from the client side presumed
necessary to cause them) |
Line: | The line of text that caused the heuristics to conclude they were confused. |
See also: login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_confused_text
¶Type: | event (c: connection , line: string ) |
---|
Generated after getting confused while tracking a Telnet/Rlogin
authentication dialog. The login analyzer generates this even for every
line of user input after it has reported login_confused
for a
connection.
C: | The connection. |
---|---|
Line: | The line the user typed. |
See also: login_confused
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_display
¶Type: | event (c: connection , display: string ) |
---|
Generated for clients transmitting an X11 DISPLAY in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
C: | The connection. |
---|---|
Display: | The DISPLAY transmitted. |
See also: login_confused
, login_confused_text
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_failure
¶Type: | event (c: connection , user: string , client_user: string , password: string , line: string ) |
---|
Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.
C: | The connection. |
---|---|
User: | The user name tried. |
Client_user: | For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts). |
Password: | The password tried. |
Line: | The line of text that led the analyzer to conclude that the authentication had failed. |
See also: login_confused
, login_confused_text
, login_display
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_input_line
¶Type: | event (c: connection , line: string ) |
---|
Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
C: | The connection. |
---|---|
Line: | The input line. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_output_line
, login_prompt
, login_success
, login_terminal
, rsh_request
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_output_line
¶Type: | event (c: connection , line: string ) |
---|
Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
C: | The connection. |
---|---|
Line: | The ouput line. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_prompt
, login_success
, login_terminal
, rsh_reply
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_prompt
¶Type: | event (c: connection , prompt: string ) |
---|
Generated for clients transmitting a terminal prompt in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
See Wikipedia for more information about the Telnet protocol.
C: | The connection. |
---|---|
Prompt: | The TTYPROMPT transmitted. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_success
, login_terminal
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_success
¶Type: | event (c: connection , user: string , client_user: string , password: string , line: string ) |
---|
Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.
C: | The connection. |
---|---|
User: | The user name used. |
Client_user: | For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts). |
Password: | The password used. |
Line: | The line of text that led the analyzer to conclude that the authentication had succeeded. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_terminal
, direct_login_prompts
, get_login_state
, login_failure_msgs
, login_non_failure_msgs
, login_prompts
, login_success_msgs
, login_timeouts
, set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
login_terminal
¶Type: | event (c: connection , terminal: string ) |
---|
Generated for clients transmitting a terminal type in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
C: | The connection. |
---|---|
Terminal: | The TERM value transmitted. |
See also: login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
Todo
Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
call to Analyzer::register_for_ports
or a DPD payload
signature.
rsh_reply
¶Type: | event (c: connection , client_user: string , server_user: string , line: string ) |
---|
Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
C: | The connection. |
---|---|
Client_user: | The client-side user name as sent in the initial protocol handshake. |
Server_user: | The server-side user name as sent in the initial protocol handshake. |
Line: | The command line sent in the request. |
See also: rsh_request
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Note
For historical reasons, these events are separate from the
login_
events. Ideally, they would all be handled uniquely.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
rsh_request
¶Type: | event (c: connection , client_user: string , server_user: string , line: string , new_session: bool ) |
---|
Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
C: | The connection. |
---|---|
Client_user: | The client-side user name as sent in the initial protocol handshake. |
Server_user: | The server-side user name as sent in the initial protocol handshake. |
Line: | The command line sent in the request. |
New_session: | True if this is the first command of the Rsh session. |
See also: rsh_reply
, login_confused
, login_confused_text
, login_display
, login_failure
, login_input_line
, login_output_line
, login_prompt
, login_success
, login_terminal
Note
For historical reasons, these events are separate from the
login_
events. Ideally, they would all be handled uniquely.
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.