[Bro] FTP password saving
Seth Hall
seth at icir.org
Sat Apr 21 17:41:18 PDT 2012
On Apr 21, 2012, at 8:09 PM, Patrik Lundin wrote:
> Why have you decided that users
> "probably" want to log the password for anonymous/guest users?
The passwords used for those accounts are considered informational. They aren't considered a secret value so we log it. :)
>> redef FTP::default_capture_password = T;
> Not sure if i'm doing it wrong, but i just added that to the end of
> local.bro and it didnt't seem to do anything.
Sorry, I forgot to be explicit that what you reported was a real bug which prevented this from working. It's fixed in our fastpath branch (for small fixed like this) and will be incorporated into our 2.1 release.
> Thanks for looking into it and explaining stuff, i actually dont have a
> burning need to have "ftpuser" added, it just happened to be the user
> that was used in this specific pcap.
That's exactly the reason I added it. We try to stick to what's actually seen in the real world and "ftpuser" seems like a reasonable name to add.
> Lets say i wanted to actually log passwords for all users, what would
> be the proper way to accomplish that?
Considering that this feature is broken in 2.0 you can apply the changes that I did in fastpath to your repository clone:
diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro
index e6c0131..aa7d824 100644
--- a/scripts/base/protocols/ftp/main.bro
+++ b/scripts/base/protocols/ftp/main.bro
@@ -22,7 +22,7 @@ export {
const default_capture_password = F &redef;
## User IDs that can be considered "anonymous".
- const guest_ids = { "anonymous", "ftp", "guest" } &redef;
+ const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef;
type Info: record {
## Time when the command was sent.
@@ -160,8 +160,12 @@ function ftp_message(s: Info)
# or it's a deliberately logged command.
if ( |s$tags| > 0 || (s?$cmdarg && s$cmdarg$cmd in logged_commands) )
{
- if ( s?$password && to_lower(s$user) !in guest_ids )
+ if ( s?$password &&
+ !s$capture_password &&
+ to_lower(s$user) !in guest_ids )
+ {
s$password = "<hidden>";
+ }
local arg = s$cmdarg$arg;
if ( s$cmdarg$cmd in file_cmds )
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list