Hi all: For a number of reasons, I elected to write the attached bro policy, which looks at http POSTs and performs regular expression matching on the posted data. The regular expression, by default, looks for the words password or passwd in upper or lower case in an attempt to find HTTP authentications via posted form.
Unlike the heartbleed stuff, it does not require a special version of Bro, just @load it, will create notices of what it finds. There are a few knobs that can be adjusted that are documented in the script. The only problem with this script is that it is finding way too much - there are way too many cleartext authentications going on. If you look at outbound traffic , you just might see major corporations with security fails..... There's some additional tweaks I want to make to this script, but it is usable as is. I hope if you run this, there aren't too many alarming results in your traffic. Kudos to the first person who finds the minor inconsistency that I elected not to address. Hope this helps, Jim Mellander NERSC Cybersecurity
http-sensitive_POSTs.bro
Description: Binary data
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
