[Bro] files.log filename column is blank
johanna at icir.org
Wed Aug 9 16:11:51 PDT 2017
> I notice there is a filename column in the file.log but it is always empty whether I am doing HTTP transfer or FTP transfer in the network.
I am just going to refer back to a previous answer of this question:
(Short answer: because we don't have a reliable filename).
> Also when files are transferred over FTP do they show up in the files.log? Because I transferred some files over FTP but even though ftp.log is generated, there is no corresponding entry in files.log
No, I think they don't. If I remember it correctly this is due to the fact
that FTP uses separate connections for transferring the data, which (when
using clustering) will probably be handled by a different Bro worker than
the one handling the original connection; the other worker has no idea
that this is an FTP data connection.
I hope this helps,
More information about the Bro