[Bro-Dev] Script review: FTP

Seth Hall seth at icir.org
Wed Jan 5 10:19:15 PST 2011

Welcome to the first script review period everyone!

We are going to start with a single script/analyzer combination to get things started gently and we may just stick to this model because after discussing things a bit more we decided that we are going to skip these public comment periods for many Bro scripts that are less user visible and we'll just make changes to them.

The FTP analyzer and ftp.bro script combination seems like a good place to start because it's mostly self contained and the feature requests shouldn't be quite as crazy and complex as for the HTTP analyzer and scripts. :)  

The ftp-ext.bro script that is still in my personal repository can be considered to be included in this review period too.

Here we go....

FTP Analyzer and ftp.bro
Related scripts:
	ftp-cmd-arg.bro  http://tracker.icir.org/bro/browser/bro/policy/ftp-cmd-arg.bro
	ftp.bro http://tracker.icir.org/bro/browser/bro/policy/ftp.bro
	ftp-ext.bro https://github.com/sethhall/bro_scripts/blob/master/ftp-ext.bro

	* Integrated with DPD for detecting FTP on any port.
	* Detects FTP sessions doing SITE exec (using FTP as a shell/terminal)
	* Detects file related commands using names defined by a regular expression (a file like this /.*sshd\.(tar|tgz).*/ transferred over FTP doesn't look good)
	* Detects excessively long filenames.
	* Single line activity logging (in ftp-ext.bro, but currently only logs RETR and STOR actions, this will be expanded)
	* Detects unexpected FTP data transmissions
	* Detects privileged ports used for FTP data
	* Detects

Are there any others features that someone might find useful in their environment?  The off-port protocol detection, "SITE exec" detection, and activity logging have all been really useful for me at various times, but (like always) I have a sense that someone out there has an idea that they'd like to see implemented that I've never even considered.

The only example I can think of off the top of my head as a new feature I'd like to have is something to either positively or negatively alarm on regular expression defined ftp clients (the CLNT command which most clients seem to send).  You could either specify FTP clients that are supposed to be used or not to be used connecting inbound or outbound.  Actually, we will make sure to feed that into the software detection framework too.

Any and all comments and thoughts are welcome.  I will be summarizing this discussion somewhere for reference too.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list