Bro not seeing certain FTP transfers

James_inthe_box · April 11, 2013, 5:08pm

Topic says it...here's what I have from conn.log:

2013-04-08T06:00:25-0600 rTIHfQrsHgh x.x.x.x 26519 x.x.x.x 21 tcp ftp 22.117093 1141 4128 RSTR T 0 ShAdDaFr 111 5601 71 6972 (empty)

And from my other logs:
Apr 8 06:00:31 x.x.x.x FTP connection from interface:x.x.x.x/26519 to x.x.x.x/21, user Stored file filename

ftp.log has no record at all of either the filename or the IP address. I am my own ISP and I peer with two other ISP's over two separate interfaces, meaning a packet can go out one interface, but come in the other. I'm running bro with:

bro -i eth4 -i eth5 local Site::local_nets += { ipspace/mask, ipspace/mask }

Any hints on where to look for a solution to this? I suspect I'm going to end up bridging these interfaces. Thank you.

James

Castle_Shane · April 11, 2013, 5:25pm

I wonder if it's because the conversation ended with an RST - the originator sent a FIN and got back RST. I assume the line you quoted corresponds with the actual transfer.

James_inthe_box · April 11, 2013, 5:30pm

Indeed it does. Thanks Shane.

James

James_inthe_box · April 17, 2013, 12:36pm

No more thoughts on this all?

James

Topic		Replies	Views
ftp.log file isn't logging ftp related requests. Zeek	3	104	May 6, 2022
thank you and what does this mena? Zeek	2	93	May 6, 2022
Bro Digest, Vol 109, Issue 14 Zeek	2	116	May 6, 2022
Problem: Bro listening on two ethernet interfaces Zeek	1	64	May 6, 2022
bro http/ssl question Zeek	2	78	May 6, 2022

Bro not seeing certain FTP transfers

Related topics