Package: base/protocols/ftp

Support for File Transfer Protocol (FTP) analysis.

base/protocols/ftp/__load__.bro

base/protocols/ftp/utils-commands.bro

base/protocols/ftp/info.bro

Defines data structures for tracking and logging FTP sessions.

base/protocols/ftp/main.bro

The logging this script does is primarily focused on logging FTP commands along with metadata. For example, if files are transferred, the argument will take on the full path that the client is at along with the requested file name.

base/protocols/ftp/utils.bro

Utilities specific for FTP processing.

base/protocols/ftp/files.bro

base/protocols/ftp/gridftp.bro

A detection script for GridFTP data and control channels.

GridFTP control channels are identified by FTP control channels that successfully negotiate the GSSAPI method of an AUTH request and for which the exchange involved an encoded TLS/SSL handshake, indicating the GSI mechanism for GSSAPI was used. This analysis is all supported internally, this script simply adds the “gridftp” label to the service field of the control channel’s connection record.

GridFTP data channels are identified by a heuristic that relies on the fact that default settings for GridFTP clients typically mutually authenticate the data channel with TLS/SSL and negotiate a NULL bulk cipher (no encryption). Connections with those attributes are marked as GridFTP if the data transfer within the first two minutes is big enough to indicate a GripFTP data channel that would be undesirable to analyze further (e.g. stop TCP reassembly). A side effect is that true connection sizes are not logged, but at the benefit of saving CPU cycles that would otherwise go to analyzing the large (and likely benign) connections.


Copyright 2016, The Bro Project. Last updated on December 07, 2018. Created using Sphinx 1.8.2.