Sniffpass will alert on cleartext passwords discovered in HTTP POST requests.
By default it will not log passwords, but only log the username in a post_username field in http.log
and create an entry in notice.log that a password was observed.
- Install via Zeek package manager:
$ zkg install zeek-sniffpass # or for legacy installs $ bro-pkg install zeek-sniffpass - Download the files to
$PREFIX/bro/share/bro/site/sniffpassand add the following to yourlocal.bro:@load ./sniffpass
-
You can enable different types of password logging. Add one (or more) of the following options to your
local.brofile:redef SNIFFPASS::log_password_plain = T; redef SNIFFPASS::log_password_md5 = T; redef SNIFFPASS::log_password_sha1 = T; redef SNIFFPASS::log_password_sha256 = T; -
You can disable logging to notice.log using this flag:
redef SNIFFPASS::notice_log_enable = F; -
By default, only the first 300 bytes of an HTTP POST request are parsed. This can be changed by adding the following to your
local.brofile and setting your own value:redef SNIFFPASS::post_body_limit = 300
Automated tests are done against the http_post.trace file with Travis CI.
-
If you are having any issues, ensure that you have TCP Checksumming disabled in your
local.brofile, as per Zeek Documentationredef ignore_checksums = T;
Andrew Klaus (Cybera)
This module was inspired by the University of Alberta's 2019 CUCCIO Innovation Award Plaintext Password Sniffing Project.