[Bro-Dev] #891: topic/jsiwek/gridftp

Bro Tracker bro at tracker.bro-ids.org
Fri Oct 12 11:45:09 PDT 2012 

#891: topic/jsiwek/gridftp
----------------------------+------------------------
  Reporter:  jsiwek         |      Owner:
      Type:  Merge Request  |     Status:  new
  Priority:  Normal         |  Milestone:  Bro2.2
 Component:  Bro            |    Version:  git/master
Resolution:                 |   Keywords:
----------------------------+------------------------

Comment (by jsiwek):

 > - The extensions to the SSL analysis store cert/chain information for
 all SSL conntections now. Could that have a significant impact on memory
 or CPU?

 The storing of server certs was there previously and nothing should have
 changed regarding that to support gridftp.  The presence of client certs
 shouldn't be the common case for SSL and by default no validation is
 performed on them.

 > - in {{{ftp/gridftp.bro}}}
 >    {{{
 > event ssl_established(c: connection) &priority=5
 >········{
 >········# Add service label to control channels.
 >········if ( "FTP" in c$service )
 >················add c$service["gridftp"];
 >········}
 > }}}
 >
 > Can that condition really only be true for GridFTP sessions?

 Currently, I think so, but I could probably add some logic to further
 qualify that for only FTP sessions that used AUTH GSSAPI.

 > - in {{{ssl/main.bro}}}
 >
 > {{{ c$ssl = [$ts=network_time(), $uid=c$uid,
 $id=c$id,$cert_chain=vector(), $client_cert_chain=vector()]; }}}
 >
 > Is that initialization with {{{vector()}}} still needed? I thought we
 had
 > fixed that a while ago so that containers in records get initialized to
 an
 > empty instance?

 If I remember right, it was necessary, but I could have just been copying
 what had already existed for $cert_chain.

 > Comment (by seth):
 > oh, FTP has a starttls command, doesn't it?

 I think there is an AUTH TLS method, but that wouldn't automatically get
 an SSL analyzer attached to the connection.  It would need the same
 explicit internal support as gridftp (attaching the support analyzer to
 decode the ADAT exchanges over FTP before forwarding for SSL analysis.)

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/891#comment:2>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list