Does bro hash files it sees being uploaded and/or downloaded via FTP. When I see traffic in the ftp.log I never see a fuid so I assume the file analyzer is not being executed against the traffic.
Am I correct in my assumption that by default bro does not hash files it sees over FTP?
How can I invoke the file analyzer to have it hash all files seen over FTP?
This is due to a race decision in the FTP analyzer. Your control session and data session are likely being load balanced to separate workers due to them being separate TCP connections and the information that the Data analyzer should expect a connection on a separate worker isn't being communicated quickly enough. We've discussed a few solutions to this problem, but still have not tackled it unfortunately.