[Bro] files.log filename column is blank

Johanna Amann johanna at icir.org
Wed Aug 9 16:11:51 PDT 2017

Hi Vikram,

> I notice there is a filename column in the file.log but it is always empty whether I am doing HTTP transfer or FTP transfer in the network.

I am just going to refer back to a previous answer of this question:

(Short answer: because we don't have a reliable filename).

> Also when files are transferred over FTP do they show up in the files.log? Because I transferred some files over FTP but even though ftp.log is generated, there is no corresponding entry in files.log

No, I think they don't. If I remember it correctly this is due to the fact
that FTP uses separate connections for transferring the data, which (when
using clustering) will probably be handled by a different Bro worker than
the one handling the original connection; the other worker has no idea
that this is an FTP data connection.

I hope this helps,

More information about the Bro mailing list