FTP::Info file_size field

Zeek
1

Greetings,

I have a series of FTP file upload tests we're analyzing with Zeek
3.2.2. The environment is as follows:

- FTP server: vsftpd 3.0.3
- FTP client: curl 7.64.0
- EPSV mode
- Uploads with STOR command

There are a number of fields documented for the FTP::Info record [1]
that aren't logged (have "-" values for those fields) for these tests
in ftp.log. One is `file_size`, documented as "Size of the file if the
command indicates a file transfer." Logged records have values logged
for args, mime_type, and fuid. But there is no value logged for
file_size. The files have been extracted successfully, so the
expectation is that given a STOR command was used ("...command
indicates a file transfer") and that given a file was extracted and
mime type identified, the file size would be logged in ftp.log. Is
there potentially an issue in the analyzer?

$ egrep '#fields|FsRuCZYQDY8FtmyS2' ftp.log
#fields ts uid id.orig_h id.orig_p id.resp_h
id.resp_p user password command arg mime_type
file_size reply_code reply_msg data_channel.passive
data_channel.orig_h data_channel.resp_h data_channel.resp_p
fuid
1606347082.807480 CNp3Rz21qqtfdKWnG9 10.1.1.5 59888
x.x.219.95 9826 testuser <redacted> STOR
ftp://x.x.219.95/home/testuser/archived-unencrypted.zip
application/zip - 226 Transfer complete. - - - -
  FsRuCZYQDY8FtmyS2
1606347082.972373 CNp3Rz21qqtfdKWnG9 10.1.1.5 59888
x.x.219.95 9826 testuser <redacted> EPSV - - -
229 Entering Extended Passive Mode (|||33369|) T 10.1.1.5
x.x.219.95 33369 FsRuCZYQDY8FtmyS2

Also noticing that in files.log there is a record of the extracted
file from the data channel, but no associated file name. Is this
expected for FTP_DATA since the data channel is just a stream of data
with no indication of file name (i.e. not informed by the control
channel)?

#fields ts fuid tx_hosts rx_hosts conn_uids source
depth analyzers mime_type filename duration local_orig
   is_orig seen_bytes total_bytes missing_bytes
overflow_bytes timedout parent_fuid md5 sha1 sha256
extracted extracted_cutoff extracted_size
1606347082.859187 FsRuCZYQDY8FtmyS2 10.1.1.5 x.x.219.95
C66As819fJARn0a3kj FTP_DATA 0 EXTRACT,SHA1,MD5
application/zip - 0.000170 - T 6187 - 0 0 F
   - 68a7676890bda812d1818269e9b942bc
633cb66a0565b4ed049cf4d65ed689bfe973ee51 -
FTP_DATA-FsRuCZYQDY8FtmyS2.zip F -

[1] https://docs.zeek.org/en/current/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info

- Darren

2

Hello,

Can you share a pcap?

Sincerely,

Richard

3

FTP is a tricky protocol due to the control/data split and as the documentation suggests, that field is filled out by information provided in the protocol. We apparently don't collect a file size anywhere for FTP STOR commands although from looking around on the internet, I'm seeing evidence that at least some FTP servers provide that information in the control channel after a file transfer is complete.

Agreed with Richard overall though. A pcap would absolutely be the best thing at this point so we can see exactly what's happening in Zeek in your specific case.

   .Seth