Sniffpass will alert on cleartext passwords discovered in HTTP POST requests.
By default it will not log passwords, but only log the username in a post_username
field in http.log
and create an entry in notice.log
that a password was observed.
- Install via Zeek package manager:
$ zkg install zeek-sniffpass # or for legacy installs $ bro-pkg install zeek-sniffpass
- Download the files to
$PREFIX/bro/share/bro/site/sniffpass
and add the following to yourlocal.bro
:@load ./sniffpass
-
You can enable different types of password logging. Add one (or more) of the following options to your
local.bro
file:redef SNIFFPASS::log_password_plain = T; redef SNIFFPASS::log_password_md5 = T; redef SNIFFPASS::log_password_sha1 = T; redef SNIFFPASS::log_password_sha256 = T;
-
You can disable logging to notice.log using this flag:
redef SNIFFPASS::notice_log_enable = F;
-
By default, only the first 300 bytes of an HTTP POST request are parsed. This can be changed by adding the following to your
local.bro
file and setting your own value:redef SNIFFPASS::post_body_limit = 300
Automated tests are done against the http_post.trace
file with Travis CI.
-
If you are having any issues, ensure that you have TCP Checksumming disabled in your
local.bro
file, as per Zeek Documentationredef ignore_checksums = T;
Andrew Klaus (Cybera)
This module was inspired by the University of Alberta's 2019 CUCCIO Innovation Award Plaintext Password Sniffing Project.