[Zeek] configuring base option default values and ftp log

Seth Hall seth at corelight.com
Thu Jan 24 06:34:55 PST 2019



On 24 Jan 2019, at 0:01, Ambros Novak wrote:

> 1) How do you configure an option in ./base/ in site/local.bro? For 
> example
> "base/protocols/ftp/info.bro:11: option default_capture_password = F;"
> would like that to be set to T but don't want to change it in a 
> ./base/
> file.

You have two options since you seem to be using 2.6.  You can use the 
old "redef" style in local.bro like this...

redef FTP::default_capture_password = T;

or you can use the new configuration framework which Johanna has 
described here:
	https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/

> 2) I see FTP traffic in connection log but there is no ftp.log 
> generated.
> Must this be turned on.

Hm, no.  It should be turned on by default.  Feel free to paste a conn 
log line where you'd expect to see an FTP log but don't.

> 3) Lastly (and sneaky third question), I am extracting all files 
> types. I
> can extract the file via HTTP but am unable to extract the same over 
> FTP.
> Must this be turned on for FTP and IRC?

How are you doing the extraction for HTTP?  If you'd coming at it from 
the Files framework then it's a very easy change. (there are several 
ways you could approach it)

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com



More information about the Zeek mailing list