From 6e2205aa686cb1c77da8d2b56ed9a1881cb72e7a Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Sat, 21 Apr 2012 14:33:14 -0400
Subject: [PATCH 1/2] Fix problem with extracting FTP passwords.

- Added "ftpuser" as another anonymous username.

- Problem discovered by Patrik Lundin.
---
 scripts/base/protocols/ftp/main.bro | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro
index e6c0131337..aa7d82469e 100644
--- a/scripts/base/protocols/ftp/main.bro
+++ b/scripts/base/protocols/ftp/main.bro
@@ -22,7 +22,7 @@ export {
 	const default_capture_password = F &redef;
 	
 	## User IDs that can be considered "anonymous".
-	const guest_ids = { "anonymous", "ftp", "guest" } &redef;
+	const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef;
 	
 	type Info: record {
 		## Time when the command was sent.
@@ -160,8 +160,12 @@ function ftp_message(s: Info)
 	# or it's a deliberately logged command.
 	if ( |s$tags| > 0 || (s?$cmdarg && s$cmdarg$cmd in logged_commands) )
 		{
-		if ( s?$password && to_lower(s$user) !in guest_ids )
+		if ( s?$password && 
+		     !s$capture_password && 
+		     to_lower(s$user) !in guest_ids )
+			{
 			s$password = "<hidden>";
+			}
 		
 		local arg = s$cmdarg$arg;
 		if ( s$cmdarg$cmd in file_cmds )

From c10ff6fd69dc0c912f5137d205be0490d1f8fa1b Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 24 Apr 2012 16:58:03 -0400
Subject: [PATCH 2/2] Add some extra TLS extension values.

- extended_random is an expired draft rfc, but we see it
  in live traffic.
  - http://tools.ietf.org/html/draft-rescorla-tls-extended-random-01

- heartbeat RFC was ratified in Feb. 2012.
  - http://tools.ietf.org/html/rfc6520
---
 scripts/base/protocols/ssl/consts.bro | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index ab130c4318..6c33e6e438 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -77,7 +77,9 @@ export {
 		[12] = "srp",
 		[13] = "signature_algorithms",
 		[14] = "use_srtp",
+		[15] = "heartbeat",
 		[35] = "SessionTicket TLS",
+		[40] = "extended_random",
 		[13172] = "next_protocol_negotiation",
 		[65281] = "renegotiation_info"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };