ftp
event handlersThe standard script handles the following events:
ftp_request (c: connection, command: string, arg: string)
c
having made the request
command
with the argument arg
.
The processing depends on the particular command:
USER
hot_ids
(which
the ftp
analyzer accesses via a @load
of hot-ids
)—then
the analyzer flags the FTP session as log-worthy. In addition, if
the username is in forbidden_ids
, then the analyzer terminates
the session.
The analyzer also updates the connection's addl
field
with the username.
PASS
If the password is empty and the username appears in
forbidden_ids_if_no_password
(also from the hot-ids
analyzer),
then the analyzer terminates the connection.
If the username corresponds to a guest account (ftp_guest_ids
),
then the analyzer updates the connection's addl
field
with the password as additional account information. Otherwise,
it generates an account_tried
event to
facilitate detection of password guessing.
PORT
is_ftp_data_conn
can identify a
subsequent connection corresponding to this directive as belonging to
this FTP session.
ACCT
APPE
, CWD
, DELE
, MKD
, RETR
, RMD
, RNFR
, RNTO
, STOR
, STOU
ftp_reply (c: connection, code: count, msg: string, cont_resp: bool)
c
having replied to
a request using the given status code and text message. cont_resp
is true if the reply line is tagged as being continued to the next line.
The analyzer only processes requests when the last line of a continued
reply is received.
The analyzer checks the reply against any expected for the connection
(for example, “log_if_not_denied
”) and generates alerts accordingly.
If the reply corresponds to a PASV
directive, then it parses the
address/port specification in the reply and generates alerts in an analogous
fashion as done by the ftp_request
handler for PORT
directives.
Finally, if the reply is not one that the analyzer is hardwired to skip
(code 150
, used at the beginning of a data transfer, and code
331
, used to prompt for a password),
then it writes a summary of the request and reply to the FTP log file
(See: ftp variables). Also, if the reply is an “orphan” (there was
no corresponding request, perhaps because Bro started up after the
request was made), then the reply is summarized in the log file by
itself.
The standard ftp
script defines one other handler, an instance of
used to flush FTP session information
in case the session terminates abnormally and no reply is seen to
the pending request(s).