mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
45 lines
1.2 KiB
Text
45 lines
1.2 KiB
Text
@load http
|
|
|
|
module HTTP;
|
|
|
|
export {
|
|
redef enum Notice += {
|
|
PasswordFullFetch, # they got back the whole thing
|
|
PasswordShadowFetch, # they got back a shadowed version
|
|
};
|
|
|
|
# Pattern to search for in replies indicating that a full password
|
|
# file was returned.
|
|
const full_fetch =
|
|
/[[:alnum:]]+\:[[:alnum:]]+\:[[:digit:]]+\:[[:digit:]]+\:/
|
|
&redef;
|
|
|
|
# Same, but indicating a shadow password file was returned.
|
|
const shadow_fetch =
|
|
/[[:alnum:]]+\:\*\:[[:digit:]]+\:[[:digit:]]+\:/
|
|
&redef;
|
|
}
|
|
|
|
event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
|
|
{
|
|
local s = lookup_http_request_stream(c);
|
|
local n = s$first_pending_request;
|
|
if ( n !in s$requests )
|
|
return;
|
|
|
|
local req = s$requests[n];
|
|
local passwd_request = req$passwd_req;
|
|
if ( ! passwd_request )
|
|
return;
|
|
|
|
if ( full_fetch in data )
|
|
NOTICE([$note=PasswordFullFetch,
|
|
$conn=c, $method=req$method, $URL=req$URI,
|
|
$msg=fmt("%s %s: %s %s", id_string(c$id), c$addl,
|
|
req$method, req$URI)]);
|
|
else if ( shadow_fetch in data )
|
|
NOTICE([$note=PasswordShadowFetch,
|
|
$conn=c, $method=req$method, $URL=req$URI,
|
|
$msg=fmt("%s %s: %s %s", id_string(c$id), c$addl,
|
|
req$method, req$URI)]);
|
|
}
|