mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
36 lines
1,022 B
Text
36 lines
1,022 B
Text
# $Id: clear-passwords.bro 4758 2007-08-10 06:49:23Z vern $
|
|
|
|
# Monitoring for use of cleartext passwords.
|
|
|
|
@load ftp
|
|
@load login
|
|
@load pop3
|
|
@load irc
|
|
|
|
const passwd_file = open_log_file("passwords") &redef;
|
|
|
|
# ftp, login and pop3 call login_{success,failure}, which in turn
|
|
# calls account_tried(), so we can snarf all at once here:
|
|
event account_tried(c: connection, user: string, passwd: string)
|
|
{
|
|
print passwd_file, fmt("%s account name '%s', password '%s': %s",
|
|
is_local_addr(c$id$orig_h) ? "local" : "remote",
|
|
user, passwd, id_string(c$id));
|
|
}
|
|
|
|
# IRC raises a different event on login, so we hook into it here:
|
|
event irc_join_message(c: connection, info_list: irc_join_list)
|
|
{
|
|
for ( l in info_list)
|
|
{
|
|
print passwd_file, fmt("IRC JOIN name '%s', password '%s'",
|
|
l$nick, l$password);
|
|
}
|
|
}
|
|
|
|
# Raised if IRC user tries to become operator:
|
|
event irc_oper_message(c: connection, user: string, password: string)
|
|
{
|
|
print passwd_file, fmt("IRC OPER name '%s', password '%s'",
|
|
user, password);
|
|
}
|