base/bif/plugins/Bro_Login.events.bif.bro

GLOBAL
Namespace:GLOBAL
Source File:/scripts/base/bif/plugins/Bro_Login.events.bif.bro

Summary

Events

activating_encryption: event Generated for Telnet sessions when encryption is activated.
authentication_accepted: event Generated when a Telnet authentication has been successful.
authentication_rejected: event Generated when a Telnet authentication has been unsuccessful.
authentication_skipped: event Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.
bad_option: event Generated for an ill-formed or unrecognized Telnet option.
bad_option_termination: event Generated for a Telnet option that’s incorrectly terminated.
inconsistent_option: event Generated for an inconsistent Telnet option.
login_confused: event Generated when tracking of Telnet/Rlogin authentication failed.
login_confused_text: event Generated after getting confused while tracking a Telnet/Rlogin authentication dialog.
login_display: event Generated for clients transmitting an X11 DISPLAY in a Telnet session.
login_failure: event Generated for Telnet/Rlogin login failures.
login_input_line: event Generated for lines of input on Telnet/Rlogin sessions.
login_output_line: event Generated for lines of output on Telnet/Rlogin sessions.
login_prompt: event Generated for clients transmitting a terminal prompt in a Telnet session.
login_success: event Generated for successful Telnet/Rlogin logins.
login_terminal: event Generated for clients transmitting a terminal type in a Telnet session.
rsh_reply: event Generated for client side commands on an RSH connection.
rsh_request: event Generated for client side commands on an RSH connection.

Detailed Interface

Events

activating_encryption
Type:event (c: connection)

Generated for Telnet sessions when encryption is activated. The Telnet protocol includes options for negotiating encryption. When such a series of options is successfully negotiated, the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

C:The connection.

See also: authentication_accepted, authentication_rejected, authentication_skipped, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

authentication_accepted
Type:event (name: string, c: connection)

Generated when a Telnet authentication has been successful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it accepts the authentication, then the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Name:The authenticated name.
C:The connection.

See also: authentication_rejected, authentication_skipped, login_success

Note

This event inspects the corresponding Telnet option while login_success heuristically determines success by watching session data.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_rejected
Type:event (name: string, c: connection)

Generated when a Telnet authentication has been unsuccessful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it did not accept the authentication, then the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Name:The attempted authentication name.
C:The connection.

See also: authentication_accepted, authentication_skipped, login_failure

Note

This event inspects the corresponding Telnet option while login_success heuristically determines failure by watching session data.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_skipped
Type:event (c: connection)

Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.

See Wikipedia for more information about the Telnet protocol.

C:The connection.

See also: authentication_accepted, authentication_rejected, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying activity. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

bad_option
Type:event (c: connection)

Generated for an ill-formed or unrecognized Telnet option.

See Wikipedia for more information about the Telnet protocol.

C:The connection.

See also: inconsistent_option, bad_option_termination, authentication_accepted, authentication_rejected, authentication_skipped, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

bad_option_termination
Type:event (c: connection)

Generated for a Telnet option that’s incorrectly terminated.

See Wikipedia for more information about the Telnet protocol.

C:The connection.

See also: inconsistent_option, bad_option, authentication_accepted, authentication_rejected, authentication_skipped, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

inconsistent_option
Type:event (c: connection)

Generated for an inconsistent Telnet option. Telnet options are specified by the client and server stating which options they are willing to support vs. which they are not, and then instructing one another which in fact they should or should not use for the current connection. If the event engine sees a peer violate either what the other peer has instructed it to do, or what it itself offered in terms of options in the past, then the engine generates this event.

See Wikipedia for more information about the Telnet protocol.

C:The connection.

See also: bad_option, bad_option_termination, authentication_accepted, authentication_rejected, authentication_skipped, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

login_confused
Type:event (c: connection, msg: string, line: string)

Generated when tracking of Telnet/Rlogin authentication failed. As Bro’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.

C:The connection.
Msg:Gives the particular problem the heuristics detected (for example, multiple_login_prompts means that the engine saw several login prompts in a row, without the type-ahead from the client side presumed necessary to cause them)
Line:The line of text that caused the heuristics to conclude they were confused.

See also: login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_confused_text
Type:event (c: connection, line: string)

Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. The login analyzer generates this even for every line of user input after it has reported login_confused for a connection.

C:The connection.
Line:The line the user typed.

See also: login_confused, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_display
Type:event (c: connection, display: string)

Generated for clients transmitting an X11 DISPLAY in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

C:The connection.
Display:The DISPLAY transmitted.

See also: login_confused, login_confused_text, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_failure
Type:event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.

C:The connection.
User:The user name tried.
Client_user:For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).
Password:The password tried.
Line:The line of text that led the analyzer to conclude that the authentication had failed.

See also: login_confused, login_confused_text, login_display, login_input_line, login_output_line, login_prompt, login_success, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_input_line
Type:event (c: connection, line: string)

Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

C:The connection.
Line:The input line.

See also: login_confused, login_confused_text, login_display, login_failure, login_output_line, login_prompt, login_success, login_terminal, rsh_request

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_output_line
Type:event (c: connection, line: string)

Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

C:The connection.
Line:The ouput line.

See also: login_confused, login_confused_text, login_display, login_failure, login_input_line, login_prompt, login_success, login_terminal, rsh_reply

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_prompt
Type:event (c: connection, prompt: string)

Generated for clients transmitting a terminal prompt in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

See Wikipedia for more information about the Telnet protocol.

C:The connection.
Prompt:The TTYPROMPT transmitted.

See also: login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_success, login_terminal

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_success
Type:event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.

C:The connection.
User:The user name used.
Client_user:For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).
Password:The password used.
Line:The line of text that led the analyzer to conclude that the authentication had succeeded.

See also: login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and the analyzer is therefore not directly usable at the moment.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_terminal
Type:event (c: connection, terminal: string)

Generated for clients transmitting a terminal type in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

C:The connection.
Terminal:The TERM value transmitted.

See also: login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rsh_reply
Type:event (c: connection, client_user: string, server_user: string, line: string)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

C:The connection.
Client_user:The client-side user name as sent in the initial protocol handshake.
Server_user:The server-side user name as sent in the initial protocol handshake.
Line:The command line sent in the request.

See also: rsh_request, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rsh_request
Type:event (c: connection, client_user: string, server_user: string, line: string, new_session: bool)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

C:The connection.
Client_user:The client-side user name as sent in the initial protocol handshake.
Server_user:The server-side user name as sent in the initial protocol handshake.
Line:The command line sent in the request.
New_session:True if this is the first command of the Rsh session.

See also: rsh_reply, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.


Copyright 2016, The Bro Project. Last updated on January 10, 2019. Created using Sphinx 1.7.5.