Incomplete FTP file extraction

clautos · September 12, 2016, 2:13pm

Hello,

I’m trying to extract all the files that transit through my network card over HTTP or FTP.
I have no problem with HTTP but with FTP files I get incomplete files.
In the capture_loss.log I see packet loss even when I run bro from a PCAP file (and wireshark did not miss packets).
The -C option is activated, I retrieve files with the default extraction script from the security-onion install (extract.bro). The file I’m trying to retrieve is a .exe (putty from the ftp download).
I tried to download another .exe over FTP and it worked, but my putty.exe can’t be extracted completely. I’m a bit confused.
Any idea how to retrieve my ftp files ? Maybe I forgot an option ?

Bowen_Li · September 13, 2016, 2:12am

Hi clautos,

Recently, I have the same problem when running bro cluster with pf_ring. Finally, I solved it because the port of FTP DATA and CMD is different, maybe you need to hash the same FTP connection to the same thread, so bro can extract the FTP file. Don`t know if this could help you.

Bowen Li

Topic		Replies	Views
Bro - File Extraction Zeek	2	73	May 6, 2022
http incomplete file extraction (Files::ANALYZER_EXTRACT) Zeek	8	120	May 6, 2022
File Extraction Gaps Zeek	6	85	May 6, 2022
Realtime File Extracting problem Zeek	3	64	May 6, 2022
Extract complete files Zeek	6	102	May 6, 2022

Incomplete FTP file extraction

Related Topics