I have bro and proftpd server installed on linux. I tried to connect with this server through a intentionally brute force attack with random usernames and passwords thinking ftp.log will record these attempts but it didn’t. Instead ftp.log I am getting these requests logged in weird.log file.
I did same with ssh service but i logged all requests and related information in ssh.log file.
How come I can make ftp.log file to log all ftp related information which I genuinely think should be a default setting. Isn’t so?
Regards, Aneela Safdar
would it potentially be possible to send me a trace of one of the sessions
that Bro does not recognize correctly? Or, alternatively, can you create a
ticket on tracker.bro.org and upload a trace there?
Justin just reminded you that if you are running Bro and your ftp server
on the same box, you might potentially have to either disable some of the
acceleration features of your NIC, or tell Bro to disable checksumming.
You can try to either run bro with the -C command line flag, or set
redef ignore_checksums = T;.
in local.bro, if you are running broctl to see if that fixes the issue.