[Bro] Bro not seeing certain FTP transfers

James Lay jlay at slave-tothe-box.net
Thu Apr 11 10:08:48 PDT 2013


Topic says it...here's what I have from conn.log:

2013-04-08T06:00:25-0600        rTIHfQrsHgh     x.x.x.x    26519   
x.x.x.x   21      tcp     ftp     22.117093       1141    4128    RSTR   
T       0       ShAdDaFr        111     5601    71      6972    (empty)

And from my other logs:
Apr  8 06:00:31 x.x.x.x FTP connection from interface:x.x.x.x/26519 to 
x.x.x.x/21, user Stored file filename

ftp.log has no record at all of either the filename or the IP address.  
I am my own ISP and I peer with two other ISP's over two separate 
interfaces, meaning a packet can go out one interface, but come in the 
other.  I'm running bro with:

bro -i eth4 -i eth5 local Site::local_nets += { ipspace/mask, 
ipspace/mask }

Any hints on where to look for a solution to this?  I suspect I'm going 
to end up bridging these interfaces.  Thank you.

James



More information about the Bro mailing list