12. LoggedIn
The LoggedIn
module analyses all currently logged in users and analyses their names.
12.1. Samples
Aug 26 12:28:07 server44.local.net/10.7.1.100
THOR: Warning: MODULE: LoggedIn
MESSAGE: Suspicious logged in user name
KEYWORD: ^[0-9a-z]{1,3}$
USER: abc
SCORE: 75
12.2. Typical False Positives
Legitimate user account with three or less characters
12.3. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
USER |
Does the user name look suspicious to a human eye? (e.g. |
Yes |
Good |
Medium |
No |
Bad |
Medium |