[Bro] [bro] FTP User Name

Vlad Grigorescu vladg at illinois.edu
Wed Feb 10 07:50:24 PST 2016

From the USER command. See:

> 	if ( command == "USER" )
>		c$ftp$user = arg;

It's possible that the analyzer has a bug in it - if you could share
some more details or ideally a PCAP, we can look at getting it fixed.



Tim Desrochers <tgdesrochers at gmail.com> writes:

> Where does the username from FTP logs get derived from?
> I have a use case where I see FTP traffic to a destination but my AD is
> reporting the user originating the traffic as one name but the user field
> of the FTP log shows a different name.
> Why would this be?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160210/326678ec/attachment.bin 

More information about the Bro mailing list