Next: , Previous: ftp Analyzer, Up: ftp Analyzer



7.16.1 The ftp_session_info record

The main data structure managed by the ftp analyzer is a collection of ftp_session_info records, where the record type is shown below:

     type ftp_session_info: record {
         id: count;              # unique number associated w/ session
         user: string;           # username, if determined
         request: string;        # pending request or requests
         num_requests: count;    # count of pending requests
         request_t: time;        # time of request
         log_if_not_denied: bool;        # unless code 530 on reply, log it
         log_if_not_unavail: bool;       # unless code 550 on reply, log it
         log_it: bool;           # if true, log the request(s)
     };

The corresponding fields are:

id
The unique session identifier assigned to this session. Sessions are numbered starting at 1 and incrementing with each new session.
user
The username associated with this session (from the initial FTP authentication dialog), or an empty string if not yet determined.
request
The pending request, if the client has issued any. Ordinarily there would be at most one pending request, but a client can in fact send multiple requests to the server all at once, and an attacker could do so attempting to confuse the analyzer into mismatching responses with requests, or simply forgetting about previous requests.
num_requests
A count of how many requests are currently pending.
request_t
The time at which the pending request was issued.
log_if_not_denied
If true, then when the reply to the current request comes in, Bro should log it, unless the reply code is 530 (“denied”).
log_if_not_unavail
If true, then when the reply to the current request comes in, Bro should log it, unless the reply code is 550 (“unavail”).
log_it
If true, then when the reply to the current request comes in, Bro should log it.