[Bro] [bro] FTP User Name
Vlad Grigorescu
vladg at illinois.edu
Wed Feb 10 07:50:24 PST 2016
From the USER command. See:
https://github.com/bro/bro/blob/master/scripts/base/protocols/ftp/main.bro#L169
> if ( command == "USER" )
> c$ftp$user = arg;
It's possible that the analyzer has a bug in it - if you could share
some more details or ideally a PCAP, we can look at getting it fixed.
Thanks,
--Vlad
Tim Desrochers <tgdesrochers at gmail.com> writes:
> Where does the username from FTP logs get derived from?
>
> I have a use case where I see FTP traffic to a destination but my AD is
> reporting the user originating the traffic as one name but the user field
> of the FTP log shows a different name.
>
> Why would this be?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160210/326678ec/attachment.bin
More information about the Bro
mailing list