[Bro] [bro] FTP User Name
Tim Desrochers
tgdesrochers at gmail.com
Wed Feb 10 07:58:50 PST 2016
Unfortunately I cannot share any pcap due to the network the device is on.
I can share that we believe FTP account accessed is in the name of the
"USER" field recorded by bro but the AD user who uploaded to item is a
different user.
So I guess my question should be, does bro pull the name from the the FTP
session or does it try to pull info from something like the devices log to
determine the user of the IP address who uploaded the file?
On Wed, Feb 10, 2016 at 10:50 AM, Vlad Grigorescu <vladg at illinois.edu>
wrote:
> From the USER command. See:
>
> https://github.com/bro/bro/blob/master/scripts/base/protocols/ftp/main.bro#L169
>
> > if ( command == "USER" )
> > c$ftp$user = arg;
>
> It's possible that the analyzer has a bug in it - if you could share
> some more details or ideally a PCAP, we can look at getting it fixed.
>
> Thanks,
>
> --Vlad
>
> Tim Desrochers <tgdesrochers at gmail.com> writes:
>
> > Where does the username from FTP logs get derived from?
> >
> > I have a use case where I see FTP traffic to a destination but my AD is
> > reporting the user originating the traffic as one name but the user field
> > of the FTP log shows a different name.
> >
> > Why would this be?
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160210/c18dac92/attachment.html
More information about the Bro
mailing list