[Bro] FTP password saving

Patrik Lundin patrik.lundin.swe at gmail.com
Sat Apr 21 17:09:58 PDT 2012


On Sat, Apr 21, 2012 at 02:38:04PM -0400, Seth Hall wrote:
> 
> That line of code actually works backwards from what you are thinking.
> The password is always captured into that field if it's seen.  That
> line just overwrites the password before logging it if you decide that
> you actually don't want the password (you can inspect at runtime, but
> it's not logged).
> 

Ah, i guess i expected that "capture_password" included logging it,
but i realize it makes sense to have it available at runtime yet keep
it out of the logs.

Have i grasped it correctly that the general thinking is that the
"capture_password" knob is only intended to control if the password
is available at runtime for analysis, but that you usually don't want to
log it except for a few select users? Why have you decided that users
"probably" want to log the password for anonymous/guest users?

> 
> redef FTP::default_capture_password = T;
> 
> Doing it in local.bro should be fine.
>

Not sure if i'm doing it wrong, but i just added that to the end of
local.bro and it didnt't seem to do anything.

>
> Thanks for reporting the bug.  I committed a slightly different fix to
> our fastpath branch and added "ftpuser" as another anonymous username.
> The fix will show up in the 2.1 release.  You seem to have made the
> changes for yourself now to make this work at least, right?
> 

Thanks for looking into it and explaining stuff, i actually dont have a
burning need to have "ftpuser" added, it just happened to be the user
that was used in this specific pcap. Based on my misconception that
capturing the password was the same as wanting to log it i thought
an errenous negation had snuck in :).

Lets say i wanted to actually log passwords for all users, what would
be the proper way to accomplish that?

Thanks for your time,
Patrik Lundin



More information about the Bro mailing list