ftp_log : file
The file into which FTP-related alerts are written.
ftp_sessions : table[conn_id] of ftp_session_info
ftp_guest_ids : set[string]
The set of login IDs which are guest logins, e.g., “anonymous” and “ftp”.
Note: This variable isconst
, so may only be changed viaredef
.
ftp_skip_hot : set[addr, addr, string]
Indexed by source and destination addresses and the id, these connections are not marked as “hot” even if its data would to cause it to be otherwise.
Note: This variable isconst
, so may only be changed viaredef
.
ftp_hot_files : pattern
If a filename matching this pattern is requested, theftp_sensitive_files
event is generated. The default behavior is to log the connection.
Note: This variable isconst
, so may only be changed viaredef
.
ftp_hot_guest_files : pattern
If a user is logged in under a guest ID and attempts to retrieve a file matching this pattern, theftp_sensitive
event is generated. The default behavior is to log the connection.
Note: This variable isconst
, so may only be changed viaredef
.
ftp_hot_cmds : table[string] of pattern
If an FTP command matches an index into the table and its argument matches the associated pattern, the connection is logged.
Note: This variable isconst
, so may only be changed viaredef
.
skip_unexpected : set[addr]
Pairs of IP addresses for which we shouldn't bother logging if one of them is used in lieu of the other in a PORT or PASV directive.
skip_unexpected_net : set[addr]
Similar to skip_unexpected
, but matches a /24 subnet.
ftp_data_expected : table[addr, port] of addr
Indexed by the server's responder pair, yields the address expected to make an FTP data connection to it.
ftp_data_expected_session : table[addr, port] of ftp_session_info
Indexed by the server's responder pair, yields the associated
ftp_session_info
record for the expected incoming FTP data
connection.
ftp_excessive_filename_len : count
If an FTP request filename meets or exceeds this length, an
FTP_ExcessiveFilename
alert is generated.
ftp_excessive_filename_trunc_len : count
How much of the excessively long filename is printed in the alert message.
ftp_ignore_invalid_PORT : pattern
Invalid PORT/PASV directives that exactly match this pattern don't generate alerts.
ftp_ignore_privileged_PASVs : set[port]
If an FTP PASV port is specified to be a privileged port (< 1024/tcp)
then an FTP_PrivPort
event is generated, EXCEPT if the port is
in this set.