7.16.1 The ftp_session_info
record
The main data structure managed by the ftp
analyzer is
a collection of ftp_session_info
records, where the
record type is shown below:
type ftp_session_info: record {
id: count; # unique number associated w/ session
user: string; # username, if determined
request: string; # pending request or requests
num_requests: count; # count of pending requests
request_t: time; # time of request
log_if_not_denied: bool; # unless code 530 on reply, log it
log_if_not_unavail: bool; # unless code 550 on reply, log it
log_it: bool; # if true, log the request(s)
};
The corresponding fields are:
id
- The unique session identifier assigned to this session. Sessions
are numbered starting at
1
and incrementing with each new session.
user
- The username associated with this session (from the initial FTP
authentication dialog), or an empty string if not yet determined.
request
- The pending request, if the client has issued any. Ordinarily there
would be at most one pending request, but a client can in fact send
multiple requests to the server all at once,
and an attacker could do so attempting
to confuse the analyzer into mismatching responses with requests,
or simply forgetting about previous requests.
num_requests
- A count of how many requests are currently pending.
request_t
- The time at which the pending request was issued.
log_if_not_denied
- If true, then when the reply to the current request comes in,
Bro should log it, unless the reply code is
530
(“denied
”).
log_if_not_unavail
- If true, then when the reply to the current request comes in,
Bro should log it, unless the reply code is
550
(“unavail
”).
log_it
- If true, then when the reply to the current request comes in,
Bro should log it.