12. LoggedIn

The LoggedIn module analyses all currently logged in users and analyses their names.

12.1. Samples

Aug 26 12:28:07 server44.local.net/10.7.1.100
THOR: Warning: MODULE: LoggedIn
MESSAGE: Suspicious logged in user name
KEYWORD: ^[0-9a-z]{1,3}$
USER: abc
SCORE: 75

12.2. Typical False Positives

• Legitimate user account with three or less characters

12.3. Attribute Evaluation

Attribute	Question	Answer	Indication	Weight
USER	Does the user name look suspicious to a human eye? (e.g. abc, 123, adm123, suser, bckdr, master, access)	Yes	Good	Medium
		No	Bad	Medium