base/bif/plugins/Zeek_Login.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

activating_encryption: event

Generated for Telnet sessions when encryption is activated.

authentication_accepted: event

Generated when a Telnet authentication has been successful.

authentication_rejected: event

Generated when a Telnet authentication has been unsuccessful.

authentication_skipped: event

Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.

bad_option: event

Generated for an ill-formed or unrecognized Telnet option.

bad_option_termination: event

Generated for a Telnet option that’s incorrectly terminated.

inconsistent_option: event

Generated for an inconsistent Telnet option.

login_confused: event

Generated when tracking of Telnet/Rlogin authentication failed.

login_confused_text: event

Generated after getting confused while tracking a Telnet/Rlogin authentication dialog.

login_display: event

Generated for clients transmitting an X11 DISPLAY in a Telnet session.

login_failure: event

Generated for Telnet/Rlogin login failures.

login_input_line: event

Generated for lines of input on Telnet/Rlogin sessions.

login_output_line: event

Generated for lines of output on Telnet/Rlogin sessions.

login_prompt: event

Generated for clients transmitting a terminal prompt in a Telnet session.

login_success: event

Generated for successful Telnet/Rlogin logins.

login_terminal: event

Generated for clients transmitting a terminal type in a Telnet session.

rsh_reply: event

Generated for client side commands on an RSH connection.

rsh_request: event

Generated for client side commands on an RSH connection.

Detailed Interface

Events

activating_encryption
Type

event (c: connection)

Generated for Telnet sessions when encryption is activated. The Telnet protocol includes options for negotiating encryption. When such a series of options is successfully negotiated, the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Parameters

c – The connection.

See also: authentication_accepted, authentication_rejected, authentication_skipped, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

authentication_accepted
Type

event (name: string, c: connection)

Generated when a Telnet authentication has been successful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it accepts the authentication, then the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Parameters
  • name – The authenticated name.

  • c – The connection.

See also: authentication_rejected, authentication_skipped, login_success

Note

This event inspects the corresponding Telnet option while login_success heuristically determines success by watching session data.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_rejected
Type

event (name: string, c: connection)

Generated when a Telnet authentication has been unsuccessful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it did not accept the authentication, then the event engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Parameters
  • name – The attempted authentication name.

  • c – The connection.

See also: authentication_accepted, authentication_skipped, login_failure

Note

This event inspects the corresponding Telnet option while login_success heuristically determines failure by watching session data.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

authentication_skipped
Type

event (c: connection)

Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.

See Wikipedia for more information about the Telnet protocol.

Parameters

c – The connection.

See also: authentication_accepted, authentication_rejected, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying activity. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

bad_option
Type

event (c: connection)

Generated for an ill-formed or unrecognized Telnet option.

See Wikipedia for more information about the Telnet protocol.

Parameters

c – The connection.

See also: inconsistent_option, bad_option_termination, authentication_accepted, authentication_rejected, authentication_skipped, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

bad_option_termination
Type

event (c: connection)

Generated for a Telnet option that’s incorrectly terminated.

See Wikipedia for more information about the Telnet protocol.

Parameters

c – The connection.

See also: inconsistent_option, bad_option, authentication_accepted, authentication_rejected, authentication_skipped, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

inconsistent_option
Type

event (c: connection)

Generated for an inconsistent Telnet option. Telnet options are specified by the client and server stating which options they are willing to support vs. which they are not, and then instructing one another which in fact they should or should not use for the current connection. If the event engine sees a peer violate either what the other peer has instructed it to do, or what it itself offered in terms of options in the past, then the engine generates this event.

See Wikipedia for more information about the Telnet protocol.

Parameters

c – The connection.

See also: bad_option, bad_option_termination, authentication_accepted, authentication_rejected, authentication_skipped, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

login_confused
Type

event (c: connection, msg: string, line: string)

Generated when tracking of Telnet/Rlogin authentication failed. As Zeek’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.

Parameters
  • c – The connection.

  • msg – Gives the particular problem the heuristics detected (for example, multiple_login_prompts means that the engine saw several login prompts in a row, without the type-ahead from the client side presumed necessary to cause them)

  • line – The line of text that caused the heuristics to conclude they were confused.

See also: login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_confused_text
Type

event (c: connection, line: string)

Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. The login analyzer generates this even for every line of user input after it has reported login_confused for a connection.

Parameters
  • c – The connection.

  • line – The line the user typed.

See also: login_confused, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_display
Type

event (c: connection, display: string)

Generated for clients transmitting an X11 DISPLAY in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

Parameters
  • c – The connection.

  • display – The DISPLAY transmitted.

See also: login_confused, login_confused_text, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_failure
Type

event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.

Parameters
  • c – The connection.

  • user – The user name tried.

  • client_user – For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).

  • password – The password tried.

  • line – The line of text that led the analyzer to conclude that the authentication had failed.

See also: login_confused, login_confused_text, login_display, login_input_line, login_output_line, login_prompt, login_success, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeeks’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_input_line
Type

event (c: connection, line: string)

Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

Parameters
  • c – The connection.

  • line – The input line.

See also: login_confused, login_confused_text, login_display, login_failure, login_output_line, login_prompt, login_success, login_terminal, rsh_request

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_output_line
Type

event (c: connection, line: string)

Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.

Parameters
  • c – The connection.

  • line – The output line.

See also: login_confused, login_confused_text, login_display, login_failure, login_input_line, login_prompt, login_success, login_terminal, rsh_reply

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_prompt
Type

event (c: connection, prompt: string)

Generated for clients transmitting a terminal prompt in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

See Wikipedia for more information about the Telnet protocol.

Parameters
  • c – The connection.

  • prompt – The TTYPROMPT transmitted.

See also: login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_success, login_terminal

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_success
Type

event (c: connection, user: string, client_user: string, password: string, line: string)

Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.

Parameters
  • c – The connection.

  • user – The user name used.

  • client_user – For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).

  • password – The password used.

  • line – The line of text that led the analyzer to conclude that the authentication had succeeded.

See also: login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_terminal, direct_login_prompts, get_login_state, login_failure_msgs, login_non_failure_msgs, login_prompts, login_success_msgs, login_timeouts, set_login_state

Note

The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

login_terminal
Type

event (c: connection, terminal: string)

Generated for clients transmitting a terminal type in a Telnet session. This information is extracted out of environment variables sent as Telnet options.

Parameters
  • c – The connection.

  • terminal – The TERM value transmitted.

See also: login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to Analyzer::register_for_ports or a DPD payload signature.

rsh_reply
Type

event (c: connection, client_user: string, server_user: string, line: string)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

Parameters
  • c – The connection.

  • client_user – The client-side user name as sent in the initial protocol handshake.

  • server_user – The server-side user name as sent in the initial protocol handshake.

  • line – The command line sent in the request.

See also: rsh_request, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.

rsh_request
Type

event (c: connection, client_user: string, server_user: string, line: string, new_session: bool)

Generated for client side commands on an RSH connection.

See RFC 1258 for more information about the Rlogin/Rsh protocol.

Parameters
  • c – The connection.

  • client_user – The client-side user name as sent in the initial protocol handshake.

  • server_user – The server-side user name as sent in the initial protocol handshake.

  • line – The command line sent in the request.

  • new_session – True if this is the first command of the Rsh session.

See also: rsh_reply, login_confused, login_confused_text, login_display, login_failure, login_input_line, login_output_line, login_prompt, login_success, login_terminal

Note

For historical reasons, these events are separate from the login_ events. Ideally, they would all be handled uniquely.

Todo

Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.