[Bro] Incomplete FTP file extraction

clautos sebclaut at gmail.com
Mon Sep 12 07:13:08 PDT 2016


I'm trying to extract all the files that transit through my network card
over HTTP or FTP.
I have no problem with HTTP but with FTP files I get incomplete files.
In the capture_loss.log I see packet loss even when I run bro from a PCAP
file (and wireshark did not miss packets).
The -C option is activated, I retrieve files with the default extraction
script from the security-onion install (extract.bro). The file I'm trying
to retrieve is a .exe (putty from the ftp download).
I tried to download another .exe over FTP and it worked, but my putty.exe
can't be extracted completely. I'm a bit confused.
Any idea how to retrieve my ftp files ? Maybe I forgot an option ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160912/862c40a3/attachment.html 

More information about the Bro mailing list