Next: , Previous: login analyzer confusion, Up: login Analyzer



7.19.2 login variables

The standard script defines a large number of variables for refining the analysis policy:

input_trouble : pattern
lists patterns that the analyzer should flag if they appear in the user's input (keystroke) stream.

The analyzer searches for these patterns both in the raw text typed by the user and the same lines after applying editing using the edit function twice: once with interpreting BS (ctrl-H) as delete-one-character, and once with DEL as the edit character. If any of these matches, then the analyzer considers the pattern to have matched.

eggdrop Default: a pattern matching occurrences of the strings “rewt”, “eggdrop”, “loadmodule”, or “/bin/eject”. The first of these is a popular username attackers use for root backdoor accounts. The second reflects that one prevalent class of attackers are devotees of Internet Relay Chat (IRC), who frequently upon breaking into an account install the IRC eggdrop utility.

edited_input_trouble : pattern
is the same as input_trouble except the analyzer only checks the edited user input against the pattern, not the raw input (see above).

This variable is provided so you can specify patterns that can occur innocuously as typos; whenever the user corrects the typo before terminating the line, the pattern won't match, because it won't be present in the edited version of the line. In addition, for matches to these patterns, the analyzer delays reporting the match until it sees the next line of output from the server. It then includes both the line that triggered the match and the corresponding response from the server, which makes it easy for a human inspecting the logs to tell if the occurrence of the pattern was in fact innocuous.

Here's an example of an innocuous report:

          936723303.760483 1.2.3.4/21550 > 5.6.7.8/telnet
              input "cd ..." yielded output "ksh: ...:  not found."
     

It was flagged because the user's input included “...”, a name commonly used by attackers to surreptitiously hide a directory containing their tools and the like. However, we see from the Telnet server's response that this was not actual access to such a directory, but merely a typing mistake.

On the other hand:

          937528764.579039 1.2.3.4/3834 > 5.6.7.8/telnet
              input "cd ..." yielded output "maroon# ftp
          	sunspot.sunspot.noao.edu "
     

shows a problem—the lines returned by the server was a root prompt (“maroon#”), to which the user issued a command to access a remote FTP server.

Deficiency: The analyzer should decouple the notion of waiting to receive the server's reply from the notion of matching only the edited form of the line; there might be raw inputs for which it is useful to see the server's response, and edited inputs for which the server's response is unimportant in terms of knowing that the input spells trouble.

Default: the pattern

              /[ \t]*cd[ \t]+((['"]?\.\.\.)|(["'](\.[^"']*)[ \t]))/
     

which looks for a “cd” command to either a directory beginning with “...” (optionally quoted by the user) or a directory name beginning with “.” that is quoted and includes an embedded blank or tab.

output_trouble : pattern
lists patterns that the analyzer should flag if they occur in the output sent by the login server back to the user.

PATH_UTMP sensitive pattern smashdu.c exploit tool Default: the pattern

                /^-r.s.*root.*\/bin\/(sh|csh|tcsh)/
              | /Jumping to address/
              | /smashdu\.c/
              | /PATH_UTMP/
              | /Log started at =/
              | /www\.anticode\.com/
              | /smurf\.c by TFreak/
              | /Trojaning in progress/
              | /Super Linux Xploit/
     

The first of these triggers any time the user inspects with the ls utility an executable whose pathname ends in /bin/ followed by one of the popular command shells, and the ls output shows that the command shell has been altered to be setuid to root. The remainder match either the output generated by some popular exploit tools (for example, “Jumping to address”, present in many buffer overflow exploit tools), exploit tool names (“smashdu.c”), text found within the tool source code (“smurf.c by TFreak”), or URLs accessed (say via the lynx or fetch utilities) to retrieve attack software (“www.anticode.com”).


backdoor_prompts : pattern
lists patterns that the analyzer should flag if they are seen as the first line sent by the server to the user, because they often correspond with backdoors that offer a remote user immediate command shell access without having to first authenticate.

Default: the pattern “/^[!-~]*( ?)[#%$] /”, which matches a line that begins with a series of printable, non-blank characters and ends with a likely prompt character, with a blank just after the prompt character and perhaps before it.


non_backdoor_prompts : pattern
lists patterns that if a possible backdoor prompt also matches, then the analyzer should not consider the server output as indicating a backdoor prompt. Used to limit false positives for backdoor_prompts.

Default: the pattern “/^ *#.*#/”, which catches lines with more than one occurrence of a #. Some servers generate such lines as part of their welcome banner.


hot_terminal_types : pattern
lists “magic” terminal types sometimes used by attackers to access backdoors. Both Telnet and Rlogin have mechanisms for negotiating a terminal type (name; e.g., “xterm”); these backdoors trigger and skip authentication if the name has a particular value.

VT666 Default: the name “VT666”, one of the trigger terminal types we've observed in practice.


hot_telnet_orig_ports : set[port]
Some Telnet backdoors trigger if the ephemeral port used by the client side of the connection happens to be a particular value. This variable is used to list the port values whose use should be considered as possibly indicating a backdoor. Note: Clearly, this mechanism can generate false positives when the client by chance happens to choose one of the listed ports.

Default: 53982/tcp, one of the trigger ports we have observed in practice.

Deficiency: There should be a corresponding variable for Rlogin backdoors triggered by a similar mechanism.

hot_ssh_orig_ports : set[port]
Similar to hot_telnet_orig_ports, only for SSH.

Default: 31337/tcp, a trigger port that we've observed in practice.

skip_authentication : set[string]
A set of strings that, if present in the server's initial output (i.e., its welcome banner), indicates the analyzer should not attempt to analyze the session for an authentication dialog. This is used for servers that provide public access and don't bother authenticating the user.

Default: the string "WELCOME TO THE BERKELEY PUBLIC LIBRARY", which corresponds to a frequently accessed public server in the Berkeley area. (Obviously, we include this default as an example, and not because it will be appropriate for most Bro users! But it does little harm to include it.)

Deficiency: It would be more natural if this variable and a number of others listed below were of type pattern rather than set[string]. They are actually converted internally by the event engine into regular expressions.

direct_login_prompts : set[string]
A set of strings that if seen during the authentication dialog mean that the user will be logged in as soon as they answer the prompt.

Default: "TERMINAL?", a prompt used by some terminal servers.

login_prompts : set[string] A set of strings corresponding to login username prompts during an authentication dialog.

Default: the strings

              Login:
              login:
              Name:
              Username:
              User:
              Member Name
     

and the default contents of direct_login_prompts.

login_failure_msgs : set[string]
A set of strings that if seen in text sent by the server during the authentication dialog correspond to a failed login attempt.

Default: the strings

              invalid
              Invalid
              incorrect
              Incorrect
              failure
              Failure,
              User authorization failure,
              Login failed,
              INVALID
              Sorry,
              Sorry.
     

login_non_failure_msgs : set[string]
A set of strings similar to login_failure_msgs that if present mean that the server text does not actually correspond to an authentication failure (i.e., if login_failure_msgs also matches, it's a false positive).

Default: the strings

              Failures
              failures
              failure since last successful login
              failures since last successful login
     

router_prompts : set[string]
A set of strings corresponding to prompts returned by the local routers when a user successfully authenticates to the router. For the purpose of this variable, see the next variable.

Default: empty.

login_success_msgs : set[string]
A set of strings that if seen in text sent by the server during the authentication dialog correspond to a successful authentication attempt.

Default: the strings

              Last login
              Last successful login
              Last   successful login
              checking for disk quotas
              unsuccessful login attempts
              failure since last successful login
              failures since last successful login
     

and the default contents of the router_prompts variable.

Deficiency: Since by default router_prompts is empty, this last inclusion does nothing. In particular, if you redefine router_prompts then login_success_msgs will not pick up the change; you will need to redefine it to (again) include router_prompts, using: redef login_success_msgs += router_prompts. This is clearly a misfeature of Bro and will be fixed one fine day.

login_timeouts : set[string]
A set of strings that if seen in text sent by the server during the authentication dialog correspond to the server having timed out the authentication attempt.

Default: the strings

              timeout
              timed out
              Timeout
              Timed out
              Error reading command input
     

(This last is returned by the VMS operating system.)

non_ASCII_hosts : set[addr]
A set of addresses corresponding to hosts whose login servers do not (primarily) use 7-bit ASCII. The analyzer will not attempt to analyze authentication dialogs to such hosts, and will not complain about huge lines generated by either the sender or receiver (per excessive_line).

Default: empty.

skip_logins_to : set[addr]
A set of addresses corresponding to hosts for which the analyzer should not attempt to analyze authentication dialogs.

Default: the (empty) contents of non_ASCII_hosts.

always_hot_login_ids : set[string] A set of usernames
that the analyzer should always flag as sensitive, even if they're seen in a session for which the analyzer is confused login analyzer confusion.

Default: the value of always_hot_ids defined by the hot analyzer.

hot_login_ids : set[string]
A set of usernames that the analyzer should flag as sensitive, unless it sees them in a session for which the analyzer is confused (See: login analyzer confusion).

Default: the value of hot_ids defined by the hot-ids analyzer.


rlogin_id_okay_if_no_password_exposed : set[string]
A set of username exceptions to hot_login_ids which the analyzer should not flag as sensitive if the user authenticated without exposing a password (so, for example, via .rhosts).

Default: the username "root".