Where does the username from FTP logs get derived from?
I have a use case where I see FTP traffic to a destination but my AD is reporting the user originating the traffic as one name but the user field of the FTP log shows a different name.
Why would this be?
From the USER command. See:
https://github.com/bro/bro/blob/master/scripts/base/protocols/ftp/main.bro#L169
if ( command == "USER" )
c$ftp$user = arg;
It's possible that the analyzer has a bug in it - if you could share
some more details or ideally a PCAP, we can look at getting it fixed.
Thanks,
--Vlad
Tim Desrochers <tgdesrochers@gmail.com> writes:
Unfortunately I cannot share any pcap due to the network the device is on. I can share that we believe FTP account accessed is in the name of the “USER” field recorded by bro but the AD user who uploaded to item is a different user.
So I guess my question should be, does bro pull the name from the the FTP session or does it try to pull info from something like the devices log to determine the user of the IP address who uploaded the file?
I understand now. I am checking kerberos logs now to determine the user.
Thank you for responses.