Capture More FTP Commands

Lucas_V · October 29, 2024, 8:40pm

Howdy,

I have been attempting to diagnose my issue with not all FTP commands being logged in Zeek, and I believe that the reason is that only ten commands are listed in the logged_commands option within the ftp main script. (“APPE”, “DELE”, “RETR”, “STOR”, “STOU”, “ACCT”, “PORT”, “PASV”, “EPRT”, “EPSV”).

If this is the source of my problem, is it as easy as just listing every command from RFC 959 and the script will begin to log those commands without issue? Even if it requires a couple extra lines in the script to correctly capture the arguments and responses, I’m willing to do that.

Edit: I just saw that utils-commands.zeek exists and lists many of the commands I need to be logged. Because they are accounted for and have valid reply codes listed, should I be safe to just add those commands to the logged_commands option in main.zeek?

Vern · October 29, 2024, 9:38pm

Yes, you can just list more by redef’ing to add them to that option. Regarding the ones listed in utils-commands.zeek, fine to add them - in fact, fine to add anything you want, that table is just used to do a lookup after a command has been found, so it won’t cause any harm to have bogus entries.

Topic		Replies	Views
Zeek and json output question Zeek	3	320	May 6, 2022
Ftp: fuid logged for wrong data-connection	3	246	March 4, 2024
zeek and tcpdump packet mismatch Zeek development	5	523	December 25, 2023
Telnet.log Implementation Zeek	3	142	May 6, 2022
"zq" command-line processor for Zeek logs Zeek	3	187	May 6, 2022

Capture More FTP Commands

Related Topics