[Bro] FTP password saving
Seth Hall
seth at icir.org
Sat Apr 21 11:38:04 PDT 2012
On Apr 21, 2012, at 9:05 AM, Patrik Lundin wrote:
> I then noticed that there was a specific check for known anonymous users
> which would make sense to not store a password for, but the user in my case,
> "ftpuser", was not in the list. Looking at the script it seemed to me the
> test case was reversed, actually changing the password to <hidden> if
> the user was _not_ in the anonymous list so i simply changed it. This
> made the password visible.
That line of code actually works backwards from what you are thinking. The password is always captured into that field if it's seen. That line just overwrites the password before logging it if you decide that you actually don't want the password (you can inspect at runtime, but it's not logged).
> I then tested changing the default_capture_password variable back and
> forth but it didnt seem to make a difference: the password was shown
> either way.
> The actual use of the variable seemed to be missing from the FTP script,
> so i added that as well based on the HTTP example.
Good catch! I totally missed that.
> Finally, i might have missed it in the docs, but what would be the
> preferable way to enable password capture? I'm guessing it belongs in
> bro/site/local.bro but i'm not sure about the syntax to describe (in
> this case) if the setting relates to HTTP or FTP etc.
redef FTP::default_capture_password = T;
Doing it in local.bro should be fine.
> Thanks for this great framework, it sure looks very interesting!
Thanks for reporting the bug. I committed a slightly different fix to our fastpath branch and added "ftpuser" as another anonymous username. The fix will show up in the 2.1 release. You seem to have made the changes for yourself now to make this work at least, right?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list