[Bro] FTP data connections
Vern Paxson
vern at icir.org
Tue Feb 20 10:02:02 PST 2007
> I'm using bro to analyze ftp sessions and I want identify ftp data connections.
>
> If the ftp session is in active mode, in ftp log file there is any
> line that indicate a ftp data connection instead in connection log
> file there is.
> Instead in passive mode there are any lines both in ftp log file and
> connection log file.
I'm afraid I'm having difficulty understanding from the above exactly what
you're asking. However, Bro's FTP analyzer (see policy/ftp.bro) treats
passive and active FTP transfers the same in terms of identifying the
corresponding connection as "ftp-data". See the calls in the script
to expect_connection().
> Are there any istructions that must be enable to print information
> about data connections in ftp log file?
What information about the connections do you want? They're already
present in terms of PASV/PORT directives.
Vern
More information about the Bro
mailing list