[Zeek] configuring base option default values and ftp log
Seth Hall
seth at corelight.com
Thu Jan 24 06:34:55 PST 2019
On 24 Jan 2019, at 0:01, Ambros Novak wrote:
> 1) How do you configure an option in ./base/ in site/local.bro? For
> example
> "base/protocols/ftp/info.bro:11: option default_capture_password = F;"
> would like that to be set to T but don't want to change it in a
> ./base/
> file.
You have two options since you seem to be using 2.6. You can use the
old "redef" style in local.bro like this...
redef FTP::default_capture_password = T;
or you can use the new configuration framework which Johanna has
described here:
https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/
> 2) I see FTP traffic in connection log but there is no ftp.log
> generated.
> Must this be turned on.
Hm, no. It should be turned on by default. Feel free to paste a conn
log line where you'd expect to see an FTP log but don't.
> 3) Lastly (and sneaky third question), I am extracting all files
> types. I
> can extract the file via HTTP but am unable to extract the same over
> FTP.
> Must this be turned on for FTP and IRC?
How are you doing the extraction for HTTP? If you'd coming at it from
the Files framework then it's a very easy change. (there are several
ways you could approach it)
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Zeek
mailing list