Skip to content
Sniffpass will alert on cleartext passwords discovered in HTTP POST requests
Zeek Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Build Status


Sniffpass will alert on cleartext passwords discovered in HTTP POST requests.

By default it will not log passwords, but only log the username in a post_username field in http.log and create an entry in notice.log that a password was observed.


  • Install via Zeek package manager:
    $ zkg install zeek-sniffpass
    # or for legacy installs
    $ bro-pkg install zeek-sniffpass
  • Download the files to $PREFIX/bro/share/bro/site/sniffpass and add the following to your local.bro:
    @load ./sniffpass


  • You can enable different types of password logging. Add one (or more) of the following options to your local.bro file:

    redef SNIFFPASS::log_password_plain = T;
    redef SNIFFPASS::log_password_md5 = T;
    redef SNIFFPASS::log_password_sha1 = T;
    redef SNIFFPASS::log_password_sha256 = T;
  • You can disable logging to notice.log using this flag:

    redef SNIFFPASS::notice_log_enable = F;
  • By default, only the first 300 bytes of an HTTP POST request are parsed. This can be changed by adding the following to your local.bro file and setting your own value:

    redef SNIFFPASS::post_body_limit = 300

Automated Testing

Automated tests are done against the http_post.trace file with Travis CI.


  • If you are having any issues, ensure that you have TCP Checksumming disabled in your local.bro file, as per Zeek Documentation

    redef ignore_checksums = T;

Created By

Andrew Klaus (Cybera)

This module was inspired by the University of Alberta's 2019 CUCCIO Innovation Award Plaintext Password Sniffing Project.

You can’t perform that action at this time.