Bro - Capture plaintext and basic Auth passwords

[CB]

Hi Guys,

I heard it is possible to detect insecure logins using bro but the functionality needs to be enabled, what is the best method is SO to modify the Bro config/rules?

[Brian Kellogg]

In your local.bro add:

redef HTTP::default_capture_password = T;
redef FTP::default_capture_password = T;

[CB]

wont this be overwritten when the appliance is upgraded?

[Brian Kellogg]

it can be, but Doug is very good at letting you know with each upgrade
what local settings you will need to put back. And, he'll make a
backup copy of it during the upgrade.

That is the file that you use for your customizations though, that is
what it is there for. I put a ton of custom junk in it.

> --
> You received this message because you are subscribed to a topic in the
> Google Groups "security-onion" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/security-onion/pP3W41a2gMc/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
>

[Seth Hall]

> On Mar 2, 2015, at 8:26 AM, Brian Kellogg <thef...@gmail.com> wrote:
>
> That is the file that you use for your customizations though, that is
> what it is there for. I put a ton of custom junk in it.

You could even create a separate file and do your changes in there and then just load that one file in local.bro.

site/my-config.bro
========

redef HTTP::default_capture_password = T;
redef FTP::default_capture_password = T;

site/local.bro
========
@load my-config

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

[CB]

Really useful guys - will the results show up in the ELSA menu?

/CB

[Doug Burks]

You can see this setting in action by logging into an FTP server and
then choosing one of the FTP queries from the ELSA menu. When you
drill into your session, you'll see not only your username (which is
logged by default), but also your password.

On Mon, Mar 2, 2015 at 3:36 PM, CB <cr...@advancedcybersecurity.co.uk> wrote:
> Really useful guys - will the results show up in the ELSA menu?
>
> /CB
>

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.

> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Craig B]

Thanks Doug - can we do the same for HTTP?

You received this message because you are subscribed to a topic in the
Google Groups "security-onion" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/security-onion/pP3W41a2gMc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to

[Doug Burks]

Yes, it should work the same way.

[Ric Woodard]

Does this need to be edited for all sensors or can it be done on the master server and pushed out similar to rule-update?

[Brian Kellogg]

All servers. local.bro isn't replicated so others can make custom
settings per sensor for Bro. You can use salt to manually push it
from the server to the sensors though.

On 3/3/15, Ric Woodard <ricwo...@gmail.com> wrote:
> Does this need to be edited for all sensors or can it be done on the master
> server and pushed out similar to rule-update?
>