Sniffpass will alert on cleartext passwords discovered in HTTP POST requests.
By default it will not log passwords, but only log the username in a
post_username field in
and create an entry in
notice.log that a password was observed.
Install via Zeek package manager:
$ zkg install zeek-sniffpass # or for legacy installs $ bro-pkg install zeek-sniffpass
- Download the files to
$PREFIX/bro/share/bro/site/sniffpassand add the following to your
- You can enable different types of password logging. Add one (or more) of the following options to your
redef SNIFFPASS::log_password_plain = T; redef SNIFFPASS::log_password_md5 = T; redef SNIFFPASS::log_password_sha1 = T; redef SNIFFPASS::log_password_sha256 = T;
You can disable logging to notice.log using this flag:
redef SNIFFPASS::notice_log_enable = F;
By default, only the first 300 bytes of an HTTP POST request are parsed. This can be changed by adding the following to your
local.brofile and setting your own value:
redef SNIFFPASS::post_body_limit = 300
Automated tests are done against the
http_post.trace file with Travis CI.
If you are having any issues, ensure that you have TCP Checksumming disabled in your
local.brofile, as per Zeek Documentation
redef ignore_checksums = T;
Andrew Klaus (Cybera)
This module was inspired by the University of Alberta's 2019 CUCCIO Innovation Award Plaintext Password Sniffing Project.