[Bro-Dev] #891: topic/jsiwek/gridftp
Bro Tracker
bro at tracker.bro-ids.org
Fri Oct 12 11:45:09 PDT 2012
#891: topic/jsiwek/gridftp
----------------------------+------------------------
Reporter: jsiwek | Owner:
Type: Merge Request | Status: new
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Resolution: | Keywords:
----------------------------+------------------------
Comment (by jsiwek):
> - The extensions to the SSL analysis store cert/chain information for
all SSL conntections now. Could that have a significant impact on memory
or CPU?
The storing of server certs was there previously and nothing should have
changed regarding that to support gridftp. The presence of client certs
shouldn't be the common case for SSL and by default no validation is
performed on them.
> - in {{{ftp/gridftp.bro}}}
> {{{
> event ssl_established(c: connection) &priority=5
>········{
>········# Add service label to control channels.
>········if ( "FTP" in c$service )
>················add c$service["gridftp"];
>········}
> }}}
>
> Can that condition really only be true for GridFTP sessions?
Currently, I think so, but I could probably add some logic to further
qualify that for only FTP sessions that used AUTH GSSAPI.
> - in {{{ssl/main.bro}}}
>
> {{{ c$ssl = [$ts=network_time(), $uid=c$uid,
$id=c$id,$cert_chain=vector(), $client_cert_chain=vector()]; }}}
>
> Is that initialization with {{{vector()}}} still needed? I thought we
had
> fixed that a while ago so that containers in records get initialized to
an
> empty instance?
If I remember right, it was necessary, but I could have just been copying
what had already existed for $cert_chain.
> Comment (by seth):
> oh, FTP has a starttls command, doesn't it?
I think there is an AUTH TLS method, but that wouldn't automatically get
an SSL analyzer attached to the connection. It would need the same
explicit internal support as gridftp (attaching the support analyzer to
decode the ADAT exchanges over FTP before forwarding for SSL analysis.)
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/891#comment:2>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list