Next: , Previous: interconnbro, Up: Predefined Variables



6.1.21 login.bro

input_trouble : pattern
If a user's keystroke input matches this pattern, then an alert is generated.

edited_input_trouble : pattern

If a user's keystroke input matches this pattern, taking into account backspace and delete characters, then an alert is generated.

full_input_trouble : pattern

If this pattern is matched in a full line of input, an alert is generated.

input_wait_for_output : pattern

The same as edited_input_trouble, except that the alert is delayed until the corresponding output is seen, so that both may be logged together.

output_trouble : pattern

If the login output matches this pattern, an alert is generated.

full_output_trouble : pattern

Similar to output_trouble, but the pattern must match the entire output.

backdoor_prompts : pattern

If the login output matches this text, but not non_backdoor_prompts, generate a possible-backdoor alert.

non_backdoor_prompts : pattern

See backdoor_prompts.

hot_terminal_types : pattern

If the terminal type used matches this pattern, generate an alert.

hot_telnet_orig_ports : set[port]

If the source port of a telnet connection is in this set, generate an alert.

skip_authentication : set[string]

If a string in this set appears where an authentication prompt would normally, skip processing of authentication (typically for an unauthenticated system). Fixme: Please verify.
Note: This variable is const, so may only be changed via redef.

login_prompts : set[string]

The set of strings that are recognized as login prompts anywhere on a line, e.g., “Login:”.
Note: This variable is const, so may only be changed via redef.

login_failure_msgs : set[string]

If any of these strings appear on a line following an authentication attempt, the attempt is considered to have failed, unless a string from login_non_failure_msgs also appears on the line. This set has higher precedence than login_success_msgs, and the same precedence as login_timeouts.
Note: This variable is const, so may only be changed via redef.

login_non_failure_msgs : set[string]

If any of these strings appear on a line following an authentication attempt, the connection is not considered to have failed even if login_failure_msgs indicates otherwise.
Note: This variable is const, so may only be changed via redef.

login_success_msgs : set[string]

If any of these messages is seen, the connection attempt is assumed to have succeeded. This set has lower precedence than login_failure_msgs and login_timeouts .
Note: This variable is const, so may only be changed via redef.

login_timeouts : set[string]

If any of these messages is seen during the login phase, the connection attempt is assumed to have timed out. This set has higher precedence than login_success_msgs, and the same precedence as login_failure_msgs.

router_prompts : pattern

Fixme: Don't know what this is

non_ASCII_hosts : set[addr]

The set of hosts that do not use ASCII (and to whom logins are thus not processed).

skip_logins_to : set[addr]

Do not process logins to this set of hosts.

always_hot_login_ids : pattern

Login names which generate an alert even if the login is not successful.

hot_login_ids : pattern

Login names which generate an alert, if the login is successful.

rlogin_id_okay_if_no_password_exposed : set[string]

Login names in this set are those which are normally considered sensitive, but are allowed if the associated password is not exposed.

login_sessions : table[conn_id] of login_session_info

A table, indexed by connection ID, of login_session_info records, characterizing each login session.