[Bro] FTP password saving
Patrik Lundin
patrik.lundin.swe at gmail.com
Sat Apr 21 18:36:58 PDT 2012
On Sat, Apr 21, 2012 at 08:41:18PM -0400, Seth Hall wrote:
>
> That's exactly the reason I added it. We try to stick to what's
> actually seen in the real world and "ftpuser" seems like a reasonable
> name to add.
>
Just to be explicit, this pcap is a "dig around these bits and find out
what is bad" training/testing example. I'm not sure it is actually
based on traffic caught in the wild.
>
> - if ( s?$password && to_lower(s$user) !in guest_ids )
> + if ( s?$password &&
> + !s$capture_password &&
> + to_lower(s$user) !in guest_ids )
> + {
> s$password = "<hidden>";
> + }
>
I'm not sure i'm mentally parsing this right... Wouldn't this change
actually make the code log all passwords (as i expected in the first
place) if capture_password is true? Wasn't your intention to always keep
the passwords out of the logs unless specifically anonymous/guest?
It's getting very late/early here, hope im not being extraordinarily
slow!
Regards,
Patrik Lundin
More information about the Bro
mailing list