[Bro] FTP password saving

Patrik Lundin patrik.lundin.swe at gmail.com
Sat Apr 21 18:36:58 PDT 2012

On Sat, Apr 21, 2012 at 08:41:18PM -0400, Seth Hall wrote:
> That's exactly the reason I added it.  We try to stick to what's
> actually seen in the real world and "ftpuser" seems like a reasonable
> name to add.

Just to be explicit, this pcap is a "dig around these bits and find out
what is bad" training/testing example. I'm not sure it is actually
based on traffic caught in the wild.

> -		if ( s?$password && to_lower(s$user) !in guest_ids )
> +		if ( s?$password && 
> +		     !s$capture_password && 
> +		     to_lower(s$user) !in guest_ids )
> +			{
> 			s$password = "<hidden>";
> +			}

I'm not sure i'm mentally parsing this right...  Wouldn't this change
actually make the code log all passwords (as i expected in the first
place) if capture_password is true? Wasn't your intention to always keep
the passwords out of the logs unless specifically anonymous/guest?

It's getting very late/early here, hope im not being extraordinarily

Patrik Lundin

More information about the Bro mailing list