this rule will match when a "password" phrase is detected in the packet payload. once a match occurs, zeek will generate an alert and create additional log files (signatures.log and notice.log).
root@dco:~$ nano http-clearText-password.sig
# signature: Signature name.
# ip-proto: Filtering TCP connection.
# dst-port: Filtering destination port 80.
# payload: Filtering the "password" phrase.
# event: Signature match message.
signature http-password {
ip-proto == tcp
dst-port == 80
payload /.*password.*/
event "Cleartext Password Found!"
}
root@dco:~$ zeek -C -r http.pcap -s http-clearText-password.sig
root@dco:~$ ls
clear-logs.sh conn.log files.log http-clearText-password.sig http.log http.pcap notice.log packet_filter.log signatures.log
root@dco:~$ cat notice.log | zeek-cut id.orig_h id.resp_h msg
10.10.57.178 44.228.249.3 10.10.57.178: Cleartext Password Found!
10.10.57.178 44.228.249.3 10.10.57.178: Cleartext Password Found!
root@dco:~$ cat signatures.log | zeek-cut src_addr dest_addr sig_id event_msg
10.10.57.178 http-password 10.10.57.178: Cleartext Password Found!
10.10.57.178 http-password 10.10.57.178: Cleartext Password Found!
* the signatures.log and notice.log provide basic details and the signature message
root@dco:~$ cat signatures.log | zeek-cut sub_msg
POST /userinfo.php HTTP/1.1\x0d\x0aHost: testphp.vulnweb.com\x0d\x0aUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/...
root@dco:~$ cat notice.log | zeek-cut sub
POST /userinfo.php HTTP/1.1\x0d\x0aHost: testphp.vulnweb.com\x0d\x0aUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/...
* both the signatures.log and notice.log have an application banner field which
can be used to identify where the signature match occurs
