Ftp: fuid logged for wrong data-connection

1

Hello,

I am a bit confused about the use of the fuid in the ftp.log:

my zeek script test.zeek is:

redef FTP::logged_commands += { "LIST", "RETR", "TYPE", "SIZE", "CWD", "DELE" };

event file_new(f: fa_file) {
        Files::add_analyzer(f, Files::ANALYZER_EXTRACT);        
}

I call zeek with a test-pcap: zeek -Cr test.zeek testing/btest/Traces/ftp/ftp-with-numbers-in-filename.pcap

The fuid FzwelK1cvu4OroNgn2 is used in files.log for ftp-data connection to port 47035:

1457455890.816659     FzwelK1cvu4OroNgn2      Cf3PRC3HZiLeO3Ch2h      192.168.21.95   54092   164.107.123.6   47035   FTP_DATA extract-1457455890.816659-FTP_DATA-FzwelK1cvu4OroNgn2

But when you look at ftp.log, the fuid also shows up in the following lines for connection to port 47079:

PASV    -       -       -       227     Entering Passive Mode (164,107,123,6,183,187)   T       192.168.21.95   164.107.123.6   47035   -
CWD     ftp://164.107.123.6/mirror      -       -       250     Directory successfully changed. -       -       -       -       -
LIST    -       -       -       150     Here comes the directory listing.       -       -       -       -       FzwelK1cvu4OroNgn2
PASV    -       -       -       227     Entering Passive Mode (164,107,123,6,183,231)   T       192.168.21.95   164.107.123.6   47079   FzwelK1cvu4OroNgn2
CWD     ftp://164.107.123.6/mirror/internic     -       -       250     Directory successfully changed. -       -       -       -       FzwelK1cvu4OroNgn2
LIST    -       -       -       226     Directory send OK.      -       -       -       -       F9FJGR2omqil0TrC4l

Shouldn’t the fuid be cleared once the next PASV command is seen? Perhaps this happens, because I changed FTP::logged_commands?

Thanks!

Franky

2

Hey Frank, I looked a bit.

Shouldn’t the fuid be cleared once the next PASV command is seen?

I could see this, yes. Nothing currently appears to clear fuid, and associating it with a subsequent command in general (not just PASV) is confusing.

I wonder if we could just unset fuid after a non intermediary FTP reply has been received and logged (rather than only resetting for PORT/PASV).

I had better 1xx reply code handling somewhere stashed away, let me attempt to resurrect.

Thanks,
Arne

3

@Franky , as a follow up, the latest master version has this changed to clear the fuid after it was logged once. This caused quite some changes in the testing baselines, but I believe it’s for the better. Happy to hear feedback.

4

Thank you for looking into that! I will get back to you when I tested the fix.