base/bif/plugins/Zeek_Login.events.bif.zeek
- GLOBAL
- Namespace
GLOBAL
Summary
Events
Generated for Telnet sessions when encryption is activated. |
|
Generated when a Telnet authentication has been successful. |
|
Generated when a Telnet authentication has been unsuccessful. |
|
Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed. |
|
Generated for an ill-formed or unrecognized Telnet option. |
|
Generated for a Telnet option that’s incorrectly terminated. |
|
Generated for an inconsistent Telnet option. |
|
Generated when tracking of Telnet/Rlogin authentication failed. |
|
Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. |
|
Generated for clients transmitting an X11 DISPLAY in a Telnet session. |
|
Generated for Telnet/Rlogin login failures. |
|
Generated for lines of input on Telnet/Rlogin sessions. |
|
Generated for lines of output on Telnet/Rlogin sessions. |
|
Generated for clients transmitting a terminal prompt in a Telnet session. |
|
Generated for successful Telnet/Rlogin logins. |
|
Generated for clients transmitting a terminal type in a Telnet session. |
|
Generated for client side commands on an RSH connection. |
|
Generated for client side commands on an RSH connection. |
Detailed Interface
Events
- activating_encryption
- Type
event
(c:connection
)
Generated for Telnet sessions when encryption is activated. The Telnet protocol includes options for negotiating encryption. When such a series of options is successfully negotiated, the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
- Parameters
c – The connection.
See also:
authentication_accepted
,authentication_rejected
,authentication_skipped
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
- authentication_accepted
- Type
event
(name:string
, c:connection
)
Generated when a Telnet authentication has been successful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it accepts the authentication, then the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
- Parameters
name – The authenticated name.
c – The connection.
See also:
authentication_rejected
,authentication_skipped
,login_success
Note
This event inspects the corresponding Telnet option while
login_success
heuristically determines success by watching session data.Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- authentication_rejected
- Type
event
(name:string
, c:connection
)
Generated when a Telnet authentication has been unsuccessful. The Telnet protocol includes options for negotiating authentication. When such an option is sent from client to server and the server replies that it did not accept the authentication, then the event engine generates this event.
See Wikipedia for more information about the Telnet protocol.
- Parameters
name – The attempted authentication name.
c – The connection.
See also:
authentication_accepted
,authentication_skipped
,login_failure
Note
This event inspects the corresponding Telnet option while
login_success
heuristically determines failure by watching session data.Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- authentication_skipped
- Type
event
(c:connection
)
Generated for Telnet/Rlogin sessions when a pattern match indicates that no authentication is performed.
See Wikipedia for more information about the Telnet protocol.
- Parameters
c – The connection.
See also:
authentication_accepted
,authentication_rejected
,direct_login_prompts
,get_login_state
,login_failure_msgs
,login_non_failure_msgs
,login_prompts
,login_success_msgs
,login_timeouts
,set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying activity. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- bad_option
- Type
event
(c:connection
)
Generated for an ill-formed or unrecognized Telnet option.
See Wikipedia for more information about the Telnet protocol.
- Parameters
c – The connection.
See also:
inconsistent_option
,bad_option_termination
,authentication_accepted
,authentication_rejected
,authentication_skipped
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- bad_option_termination
- Type
event
(c:connection
)
Generated for a Telnet option that’s incorrectly terminated.
See Wikipedia for more information about the Telnet protocol.
- Parameters
c – The connection.
See also:
inconsistent_option
,bad_option
,authentication_accepted
,authentication_rejected
,authentication_skipped
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- inconsistent_option
- Type
event
(c:connection
)
Generated for an inconsistent Telnet option. Telnet options are specified by the client and server stating which options they are willing to support vs. which they are not, and then instructing one another which in fact they should or should not use for the current connection. If the event engine sees a peer violate either what the other peer has instructed it to do, or what it itself offered in terms of options in the past, then the engine generates this event.
See Wikipedia for more information about the Telnet protocol.
- Parameters
c – The connection.
See also:
bad_option
,bad_option_termination
,authentication_accepted
,authentication_rejected
,authentication_skipped
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
- login_confused
- Type
event
(c:connection
, msg:string
, line:string
)
Generated when tracking of Telnet/Rlogin authentication failed. As Zeek’s login analyzer uses a number of heuristics to extract authentication information, it may become confused. If it can no longer correctly track the authentication dialog, it raises this event.
- Parameters
c – The connection.
msg – Gives the particular problem the heuristics detected (for example,
multiple_login_prompts
means that the engine saw several login prompts in a row, without the type-ahead from the client side presumed necessary to cause them)line – The line of text that caused the heuristics to conclude they were confused.
See also:
login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
,direct_login_prompts
,get_login_state
,login_failure_msgs
,login_non_failure_msgs
,login_prompts
,login_success_msgs
,login_timeouts
,set_login_state
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_confused_text
- Type
event
(c:connection
, line:string
)
Generated after getting confused while tracking a Telnet/Rlogin authentication dialog. The login analyzer generates this even for every line of user input after it has reported
login_confused
for a connection.- Parameters
c – The connection.
line – The line the user typed.
See also:
login_confused
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
,direct_login_prompts
,get_login_state
,login_failure_msgs
,login_non_failure_msgs
,login_prompts
,login_success_msgs
,login_timeouts
,set_login_state
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_display
- Type
event
(c:connection
, display:string
)
Generated for clients transmitting an X11 DISPLAY in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
- Parameters
c – The connection.
display – The DISPLAY transmitted.
See also:
login_confused
,login_confused_text
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_failure
-
Generated for Telnet/Rlogin login failures. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been unsuccessful.
- Parameters
c – The connection.
user – The user name tried.
client_user – For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).
password – The password tried.
line – The line of text that led the analyzer to conclude that the authentication had failed.
See also:
login_confused
,login_confused_text
,login_display
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
,direct_login_prompts
,get_login_state
,login_failure_msgs
,login_non_failure_msgs
,login_prompts
,login_success_msgs
,login_timeouts
,set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.
Todo
Zeeks’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_input_line
- Type
event
(c:connection
, line:string
)
Generated for lines of input on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
- Parameters
c – The connection.
line – The input line.
See also:
login_confused
,login_confused_text
,login_display
,login_failure
,login_output_line
,login_prompt
,login_success
,login_terminal
,rsh_request
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_output_line
- Type
event
(c:connection
, line:string
)
Generated for lines of output on Telnet/Rlogin sessions. The line will have control characters (such as in-band Telnet options) removed.
- Parameters
c – The connection.
line – The output line.
See also:
login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_prompt
,login_success
,login_terminal
,rsh_reply
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_prompt
- Type
event
(c:connection
, prompt:string
)
Generated for clients transmitting a terminal prompt in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
See Wikipedia for more information about the Telnet protocol.
- Parameters
c – The connection.
prompt – The TTYPROMPT transmitted.
See also:
login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_success
,login_terminal
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_success
-
Generated for successful Telnet/Rlogin logins. The login analyzer inspects Telnet/Rlogin sessions to heuristically extract username and password information as well as the text returned by the login server. This event is raised if a login attempt appears to have been successful.
- Parameters
c – The connection.
user – The user name used.
client_user – For Telnet connections, this is an empty string, but for Rlogin connections, it is the client name passed in the initial authentication information (to check against .rhosts).
password – The password used.
line – The line of text that led the analyzer to conclude that the authentication had succeeded.
See also:
login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_terminal
,direct_login_prompts
,get_login_state
,login_failure_msgs
,login_non_failure_msgs
,login_prompts
,login_success_msgs
,login_timeouts
,set_login_state
Note
The login analyzer depends on a set of script-level variables that need to be configured with patterns identifying login attempts. This configuration has not yet been ported, and the analyzer is therefore not directly usable at the moment.
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- login_terminal
- Type
event
(c:connection
, terminal:string
)
Generated for clients transmitting a terminal type in a Telnet session. This information is extracted out of environment variables sent as Telnet options.
- Parameters
c – The connection.
terminal – The TERM value transmitted.
See also:
login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to add a call to
Analyzer::register_for_ports
or a DPD payload signature.
- rsh_reply
- Type
event
(c:connection
, client_user:string
, server_user:string
, line:string
)
Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
- Parameters
c – The connection.
client_user – The client-side user name as sent in the initial protocol handshake.
server_user – The server-side user name as sent in the initial protocol handshake.
line – The command line sent in the request.
See also:
rsh_request
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
Note
For historical reasons, these events are separate from the
login_
events. Ideally, they would all be handled uniquely.Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.
- rsh_request
- Type
event
(c:connection
, client_user:string
, server_user:string
, line:string
, new_session:bool
)
Generated for client side commands on an RSH connection.
See RFC 1258 for more information about the Rlogin/Rsh protocol.
- Parameters
c – The connection.
client_user – The client-side user name as sent in the initial protocol handshake.
server_user – The server-side user name as sent in the initial protocol handshake.
line – The command line sent in the request.
new_session – True if this is the first command of the Rsh session.
See also:
rsh_reply
,login_confused
,login_confused_text
,login_display
,login_failure
,login_input_line
,login_output_line
,login_prompt
,login_success
,login_terminal
Note
For historical reasons, these events are separate from the
login_
events. Ideally, they would all be handled uniquely.Todo
Zeek’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported. To still enable this event, one needs to register a port for it or add a DPD payload signature.