[Bro] FTP password saving

Patrik Lundin patrik.lundin.swe at gmail.com
Sat Apr 21 06:05:08 PDT 2012


Hello,

First of all, I am very new to bro, excuse me if I am missing something
obvious!

Anyway: I have been playing around with bro analyzing a pcap which among
other things includes an FTP transaction. I noticed that the FTP
password field was set to <hidden>.

I mananged to find the very nice documentation over at
http://www.bro-ids.org/documentation/scripts/base/protocols/ftp/main.html
which made me tweak the default_capture_password variable to "T". This
however did not seem to change the password field.

I then noticed that there was a specific check for known anonymous users
which would make sense to not store a password for, but the user in my case,
"ftpuser", was not in the list. Looking at the script it seemed to me the
test case was reversed, actually changing the password to <hidden> if
the user was _not_ in the anonymous list so i simply changed it. This
made the password visible.

I then tested changing the default_capture_password variable back and
forth but it didnt seem to make a difference: the password was shown
either way.  Based on this i grepped around somewhat in the other
scripts and found that the HTTP script did a similiar thing with a
default_capture_password variable.

The actual use of the variable seemed to be missing from the FTP script,
so i added that as well based on the HTTP example.

Since i guess code says more than words, I created a git patch just to
show what was done, it can be fetched here:
http://dump.komsi.se/bro/0001-Fix-FTP-script-password-saving.patch

Finally, i might have missed it in the docs, but what would be the
preferable way to enable password capture? I'm guessing it belongs in
bro/site/local.bro but i'm not sure about the syntax to describe (in
this case) if the setting relates to HTTP or FTP etc.

Thanks for this great framework, it sure looks very interesting!

Regards,
Patrik Lundin



More information about the Bro mailing list