Build Status


Sniffpass will alert on cleartext passwords discovered in HTTP POST requests.

By default it will not log passwords, but only log the username in a post_username field in http.log and create an entry in notice.log that a password was observed.


  • Install via Zeek package manager:

     $ zkg install zeek-sniffpass
     # or for legacy installs
     $ bro-pkg install zeek-sniffpass
  • Download the files to $PREFIX/bro/share/bro/site/sniffpass and add the following to your local.bro:
      @load ./sniffpass


  • You can enable different types of password logging. Add one (or more) of the following options to your local.bro file:
      redef SNIFFPASS::log_password_plain = T;
      redef SNIFFPASS::log_password_md5 = T;
      redef SNIFFPASS::log_password_sha1 = T;
      redef SNIFFPASS::log_password_sha256 = T;
  • You can disable logging to notice.log using this flag:

      redef SNIFFPASS::notice_log_enable = F;
  • By default, only the first 300 bytes of an HTTP POST request are parsed. This can be changed by adding the following to your local.bro file and setting your own value:

      redef SNIFFPASS::post_body_limit = 300

Automated Testing

Automated tests are done against the http_post.trace file with Travis CI.


  • If you are having any issues, ensure that you have TCP Checksumming disabled in your local.bro file, as per Zeek Documentation

      redef ignore_checksums = T;

Created By

Andrew Klaus (Cybera)

This module was inspired by the University of Alberta's 2019 CUCCIO Innovation Award Plaintext Password Sniffing Project.

Package Version :