[Bro] FTP password saving

Seth Hall seth at icir.org
Sat Apr 21 17:41:18 PDT 2012 

On Apr 21, 2012, at 8:09 PM, Patrik Lundin wrote:

> Why have you decided that users
> "probably" want to log the password for anonymous/guest users?

The passwords used for those accounts are considered informational.  They aren't considered a secret value so we log it. :)

>> redef FTP::default_capture_password = T;
> Not sure if i'm doing it wrong, but i just added that to the end of
> local.bro and it didnt't seem to do anything.

Sorry, I forgot to be explicit that what you reported was a real bug which prevented this from working.  It's fixed in our fastpath branch (for small fixed like this) and will be incorporated into our 2.1 release.

> Thanks for looking into it and explaining stuff, i actually dont have a
> burning need to have "ftpuser" added, it just happened to be the user
> that was used in this specific pcap.

That's exactly the reason I added it.  We try to stick to what's actually seen in the real world and "ftpuser" seems like a reasonable name to add.

> Lets say i wanted to actually log passwords for all users, what would
> be the proper way to accomplish that?


Considering that this feature is broken in 2.0 you can apply the changes that I did in fastpath to your repository clone:

diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro
index e6c0131..aa7d824 100644
--- a/scripts/base/protocols/ftp/main.bro
+++ b/scripts/base/protocols/ftp/main.bro
@@ -22,7 +22,7 @@ export {
	const default_capture_password = F &redef;
	
	## User IDs that can be considered "anonymous".
-	const guest_ids = { "anonymous", "ftp", "guest" } &redef;
+	const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef;
	
	type Info: record {
		## Time when the command was sent.
@@ -160,8 +160,12 @@ function ftp_message(s: Info)
	# or it's a deliberately logged command.
	if ( |s$tags| > 0 || (s?$cmdarg && s$cmdarg$cmd in logged_commands) )
		{
-		if ( s?$password && to_lower(s$user) !in guest_ids )
+		if ( s?$password && 
+		     !s$capture_password && 
+		     to_lower(s$user) !in guest_ids )
+			{
			s$password = "<hidden>";
+			}
		
		local arg = s$cmdarg$arg;
		if ( s$cmdarg$cmd in file_cmds )


  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

More information about the Bro mailing list