[Bro] Extracting File from Particular FTP Commands
Siwek, Jon
jsiwek at illinois.edu
Tue Jul 22 07:19:01 PDT 2014
On Jul 21, 2014, at 11:36 PM, Pete <redlamb19 at gmail.com> wrote:
> I've thought about modifying the default FTP::file_over_new_connection event to associate the ftp command channel with the data
> channel, but was wondering if there is a better (more accepted) approach before doing so.
Maybe have your own “file_over_new_connection” handler that sets the field. The downside to modifying the default handler in-place is that you have to remember the change will be overwritten on the next Bro install. The downside of having your own handler is sometimes duplication of logic (e.g. the “ftp_data_expected" table lookup). You can decide which is better, but the general suggestion is usually to just maintain your own event handlers separately.
- Jon
More information about the Bro
mailing list