Hello,
I'm using bro to analyze ftp sessions and I want identify ftp data connections.
If the ftp session is in active mode, in ftp log file there is any
line that indicate a ftp data connection instead in connection log
file there is.
Instead in passive mode there are any lines both in ftp log file and
connection log file.
Are there any istructions that must be enable to print information
about data connections in ftp log file?
Thanks
Christian Novello
I'm using bro to analyze ftp sessions and I want identify ftp data connections.
If the ftp session is in active mode, in ftp log file there is any
line that indicate a ftp data connection instead in connection log
file there is.
Instead in passive mode there are any lines both in ftp log file and
connection log file.
I'm afraid I'm having difficulty understanding from the above exactly what
you're asking. However, Bro's FTP analyzer (see policy/ftp.bro) treats
passive and active FTP transfers the same in terms of identifying the
corresponding connection as "ftp-data". See the calls in the script
to expect_connection().
Are there any istructions that must be enable to print information
about data connections in ftp log file?
What information about the connections do you want? They're already
present in terms of PASV/PORT directives.
Vern