configuring base option default values and ftp log

Hello!

Two separate questions:

  1. How do you configure an option in ./base/ in site/local.bro? For example “base/protocols/ftp/info.bro:11: option default_capture_password = F;” would like that to be set to T but don’t want to change it in a ./base/ file.

  2. I see FTP traffic in connection log but there is no ftp.log generated. Must this be turned on.

  3. Lastly (and sneaky third question), I am extracting all files types. I can extract the file via HTTP but am unable to extract the same over FTP. Must this be turned on for FTP and IRC?

Thank you very much for the help.

1) How do you configure an option in ./base/ in site/local.bro? For example
"base/protocols/ftp/info.bro:11: option default_capture_password = F;"
would like that to be set to T but don't want to change it in a ./base/
file.

You have two options since you seem to be using 2.6. You can use the old "redef" style in local.bro like this...

redef FTP::default_capture_password = T;

or you can use the new configuration framework which Johanna has described here:
  https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/

2) I see FTP traffic in connection log but there is no ftp.log generated.
Must this be turned on.

Hm, no. It should be turned on by default. Feel free to paste a conn log line where you'd expect to see an FTP log but don't.

3) Lastly (and sneaky third question), I am extracting all files types. I
can extract the file via HTTP but am unable to extract the same over FTP.
Must this be turned on for FTP and IRC?

How are you doing the extraction for HTTP? If you'd coming at it from the Files framework then it's a very easy change. (there are several ways you could approach it)

   .Seth