[Bro] Incomplete FTP file extraction
newfire.bw at gmail.com
Mon Sep 12 19:12:10 PDT 2016
Recently, I have the same problem when running bro cluster with pf_ring.
Finally, I solved it because the port of FTP DATA and CMD is different,
maybe you need to hash the same FTP connection to the same thread, so bro
can extract the FTP file. Don`t know if this could help you.
2016-09-12 22:13 GMT+08:00 clautos <sebclaut at gmail.com>:
> I'm trying to extract all the files that transit through my network card
> over HTTP or FTP.
> I have no problem with HTTP but with FTP files I get incomplete files.
> In the capture_loss.log I see packet loss even when I run bro from a PCAP
> file (and wireshark did not miss packets).
> The -C option is activated, I retrieve files with the default extraction
> script from the security-onion install (extract.bro). The file I'm trying
> to retrieve is a .exe (putty from the ftp download).
> I tried to download another .exe over FTP and it worked, but my putty.exe
> can't be extracted completely. I'm a bit confused.
> Any idea how to retrieve my ftp files ? Maybe I forgot an option ?
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro