ftp filesize

Downie_Bob · February 6, 2019, 3:19pm

Bro ftp log only seems to record file_size for files that are pulled down from the interwebs. It does not record file size for files that are uploaded. Is this the expected behavior? We are running bro-2.5.3. Any help would be appreciated.

Thanks,

-Bob

Daniel_Guerra · February 8, 2019, 12:08pm

Hi Bob,

Files live in the file log. The uid from the ftp log leads to the file in the file log.

In the file log you can find the size of the file.

Regards,

Daniel

seth · February 13, 2019, 3:38pm

File sizes for FTP are a bit tricky. The scripts are just watching
for the server to indicate the file size in a reply message. I'm not
sure if the file size is transmitted by the client when a file is
being uploaded, I'd have to refer to some pcaps. If it is indicated
by the client then I think we could view that as a missing
implementation though.

.Seth

Christian · February 21, 2019, 12:43am

Fwiw, from the examples I have I don't see a size indication -- not in the STORs, nor in commands/responses surrounding it.

Best,
-C.

Topic		Replies	Views
FTP Filenames used for file size in some cases? Zeek	1	65	May 6, 2022
FTP::Info file_size field Zeek	3	117	May 6, 2022
buglet in FTP processing for 1.E7Vo2Cjyt39.pcap in slice 9 Development development	2	84	May 6, 2022
logging in bro Zeek	1	138	May 6, 2022
ftp.log file isn't logging ftp related requests. Zeek	3	104	May 6, 2022

ftp filesize

Related topics