HTTP CLEARTEXT PASSWORD DETECTION

this rule will match when a "password" phrase is detected in the packet payload. once a match occurs, zeek will generate an alert and create additional log files (signatures.log and notice.log).

root@dco:~$ nano http-clearText-password.sig
 # signature: Signature name.
 # ip-proto: Filtering TCP connection.
 # dst-port: Filtering destination port 80.
 # payload: Filtering the "password" phrase.
 # event: Signature match message.

 signature http-password {
  ip-proto == tcp
  dst-port == 80
  payload /.*password.*/
  event "Cleartext Password Found!"
 }

root@dco:~$ zeek -C -r http.pcap -s http-clearText-password.sig
root@dco:~$ ls
 clear-logs.sh  conn.log  files.log  http-clearText-password.sig  http.log  http.pcap  notice.log  packet_filter.log  signatures.log
 
root@dco:~$ cat notice.log  | zeek-cut id.orig_h id.resp_h msg
 10.10.57.178	44.228.249.3	10.10.57.178: Cleartext Password Found!
 10.10.57.178	44.228.249.3	10.10.57.178: Cleartext Password Found!
 
root@dco:~$ cat signatures.log | zeek-cut src_addr dest_addr sig_id event_msg 
 10.10.57.178		http-password	10.10.57.178: Cleartext Password Found!
 10.10.57.178		http-password	10.10.57.178: Cleartext Password Found!
 
 * the signatures.log and notice.log provide basic details and the signature message
 
root@dco:~$ cat signatures.log | zeek-cut sub_msg
 POST /userinfo.php HTTP/1.1\x0d\x0aHost: testphp.vulnweb.com\x0d\x0aUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/...

root@dco:~$ cat notice.log  | zeek-cut sub
 POST /userinfo.php HTTP/1.1\x0d\x0aHost: testphp.vulnweb.com\x0d\x0aUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/...
 
 * both the signatures.log and notice.log have an application banner field which
   can be used to identify where the signature match occurs
PreviousSIGNATURESNextFTP BRUTE FORCE DETECTION

Last updated