[Bro] [bro] ftp & file hash

Seth Hall seth at icir.org
Sun Apr 3 11:52:43 PDT 2016

> On Apr 3, 2016, at 8:57 AM, Tim Desrochers <tgdesrochers at gmail.com> wrote:
> Does bro hash files it sees being uploaded and/or downloaded via FTP.  When I see traffic in the ftp.log I never see a fuid so I assume the file analyzer is not being executed against the traffic.  
> Am I correct in my assumption that by default bro does not hash files it sees over FTP?  

This is due to a race decision in the FTP analyzer.  Your control session and data session are likely being load balanced to separate workers due to them being separate TCP connections and the information that the Data analyzer should expect a connection on a separate worker isn't being communicated quickly enough.  We've discussed a few solutions to this problem, but still have not tackled it unfortunately.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list