[Bro] [bro] FTP User Name
vladg at illinois.edu
Wed Feb 10 07:50:24 PST 2016
From the USER command. See:
> if ( command == "USER" )
> c$ftp$user = arg;
It's possible that the analyzer has a bug in it - if you could share
some more details or ideally a PCAP, we can look at getting it fixed.
Tim Desrochers <tgdesrochers at gmail.com> writes:
> Where does the username from FTP logs get derived from?
> I have a use case where I see FTP traffic to a destination but my AD is
> reporting the user originating the traffic as one name but the user field
> of the FTP log shows a different name.
> Why would this be?
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160210/326678ec/attachment.bin
More information about the Bro