Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 00:58:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Change doc/ subdir into a git submodule

Browse source 
The docs now live at https://github.com/zeek/zeek-docs
This commit is contained in:
Jon Siwek 2019-01-17 14:09:29 -06:00
parent 0d685efbf5
commit 2ff746fea7
693 changed files with 26 additions and 105609 deletions
Download patch file Download diff file Expand all files Collapse all files

14
doc/scripts/base/protocols/ftp/__load__.bro.rst
View file

@ -1,14 +0,0 @@
:tocdepth: 3
base/protocols/ftp/__load__.bro
===============================
:Imports: :doc:`base/protocols/ftp/files.bro </scripts/base/protocols/ftp/files.bro>`, :doc:`base/protocols/ftp/gridftp.bro </scripts/base/protocols/ftp/gridftp.bro>`, :doc:`base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>`, :doc:`base/protocols/ftp/main.bro </scripts/base/protocols/ftp/main.bro>`, :doc:`base/protocols/ftp/utils-commands.bro </scripts/base/protocols/ftp/utils-commands.bro>`, :doc:`base/protocols/ftp/utils.bro </scripts/base/protocols/ftp/utils.bro>`
Summary
~~~~~~~
Detailed Interface
~~~~~~~~~~~~~~~~~~

44
doc/scripts/base/protocols/ftp/files.bro.rst
View file

@ -1,44 +0,0 @@
:tocdepth: 3
base/protocols/ftp/files.bro
============================
.. bro:namespace:: FTP
:Namespace: FTP
:Imports: :doc:`base/frameworks/files </scripts/base/frameworks/files/index>`, :doc:`base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>`, :doc:`base/protocols/ftp/main.bro </scripts/base/protocols/ftp/main.bro>`, :doc:`base/protocols/ftp/utils.bro </scripts/base/protocols/ftp/utils.bro>`, :doc:`base/utils/conn-ids.bro </scripts/base/utils/conn-ids.bro>`
Summary
~~~~~~~
Redefinitions
#############
========================================================== =
:bro:type:`FTP::Info`: :bro:type:`record`
:bro:type:`fa_file`: :bro:type:`record` :bro:attr:`&redef`
========================================================== =
Functions
#########
==================================================== =====================================
:bro:id:`FTP::describe_file`: :bro:type:`function` Describe the file being transferred.
:bro:id:`FTP::get_file_handle`: :bro:type:`function` Default file handle provider for FTP.
==================================================== =====================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: FTP::describe_file
:Type: :bro:type:`function` (f: :bro:type:`fa_file`) : :bro:type:`string`
Describe the file being transferred.
.. bro:id:: FTP::get_file_handle
:Type: :bro:type:`function` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`) : :bro:type:`string`
Default file handle provider for FTP.

129
doc/scripts/base/protocols/ftp/gridftp.bro.rst
View file

@ -1,129 +0,0 @@
:tocdepth: 3
base/protocols/ftp/gridftp.bro
==============================
.. bro:namespace:: GridFTP
A detection script for GridFTP data and control channels.
GridFTP control channels are identified by FTP control channels
that successfully negotiate the GSSAPI method of an AUTH request
and for which the exchange involved an encoded TLS/SSL handshake,
indicating the GSI mechanism for GSSAPI was used. This analysis
is all supported internally, this script simply adds the "gridftp"
label to the *service* field of the control channel's
:bro:type:`connection` record.
GridFTP data channels are identified by a heuristic that relies on
the fact that default settings for GridFTP clients typically
mutually authenticate the data channel with TLS/SSL and negotiate a
NULL bulk cipher (no encryption). Connections with those attributes
are marked as GridFTP if the data transfer within the first two minutes
is big enough to indicate a GripFTP data channel that would be
undesirable to analyze further (e.g. stop TCP reassembly). A side
effect is that true connection sizes are not logged, but at the benefit
of saving CPU cycles that would otherwise go to analyzing the large
(and likely benign) connections.
:Namespace: GridFTP
:Imports: :doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`, :doc:`base/protocols/conn </scripts/base/protocols/conn/index>`, :doc:`base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>`, :doc:`base/protocols/ftp/main.bro </scripts/base/protocols/ftp/main.bro>`, :doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
Summary
~~~~~~~
Runtime Options
###############
======================================================================= ===================================================================
:bro:id:`GridFTP::max_time`: :bro:type:`interval` :bro:attr:`&redef` Time during which we check whether a connection's size exceeds the
:bro:see:`GridFTP::size_threshold`.
:bro:id:`GridFTP::size_threshold`: :bro:type:`count` :bro:attr:`&redef` Number of bytes transferred before guessing a connection is a
GridFTP data channel.
:bro:id:`GridFTP::skip_data`: :bro:type:`bool` :bro:attr:`&redef` Whether to skip further processing of the GridFTP data channel once
detected, which may help performance.
======================================================================= ===================================================================
Redefinitions
#############
========================================= =
:bro:type:`FTP::Info`: :bro:type:`record`
========================================= =
Events
######
=========================================================== ===============================================
:bro:id:`GridFTP::data_channel_detected`: :bro:type:`event` Raised when a GridFTP data channel is detected.
=========================================================== ===============================================
Functions
#########
========================================================================================= =================================================================
:bro:id:`GridFTP::data_channel_initial_criteria`: :bro:type:`function` :bro:attr:`&redef` The initial criteria used to determine whether to start polling
the connection for the :bro:see:`GridFTP::size_threshold` to have
been exceeded.
========================================================================================= =================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: GridFTP::max_time
:Type: :bro:type:`interval`
:Attributes: :bro:attr:`&redef`
:Default: ``2.0 mins``
Time during which we check whether a connection's size exceeds the
:bro:see:`GridFTP::size_threshold`.
.. bro:id:: GridFTP::size_threshold
:Type: :bro:type:`count`
:Attributes: :bro:attr:`&redef`
:Default: ``1073741824``
Number of bytes transferred before guessing a connection is a
GridFTP data channel.
.. bro:id:: GridFTP::skip_data
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``T``
Whether to skip further processing of the GridFTP data channel once
detected, which may help performance.
Events
######
.. bro:id:: GridFTP::data_channel_detected
:Type: :bro:type:`event` (c: :bro:type:`connection`)
Raised when a GridFTP data channel is detected.
:c: The connection pertaining to the GridFTP data channel.
Functions
#########
.. bro:id:: GridFTP::data_channel_initial_criteria
:Type: :bro:type:`function` (c: :bro:type:`connection`) : :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
The initial criteria used to determine whether to start polling
the connection for the :bro:see:`GridFTP::size_threshold` to have
been exceeded. This is called in a :bro:see:`ssl_established` event
handler and by default looks for both a client and server certificate
and for a NULL bulk cipher. One way in which this function could be
redefined is to make it also consider client/server certificate
issuer subjects.
:c: The connection which may possibly be a GridFTP data channel.
:returns: true if the connection should be further polled for an
exceeded :bro:see:`GridFTP::size_threshold`, else false.

54
doc/scripts/base/protocols/ftp/index.rst
View file

@ -1,54 +0,0 @@
:orphan:
Package: base/protocols/ftp
===========================
Support for File Transfer Protocol (FTP) analysis.
:doc:`/scripts/base/protocols/ftp/__load__.bro`
:doc:`/scripts/base/protocols/ftp/utils-commands.bro`
:doc:`/scripts/base/protocols/ftp/info.bro`
Defines data structures for tracking and logging FTP sessions.
:doc:`/scripts/base/protocols/ftp/main.bro`
The logging this script does is primarily focused on logging FTP commands
along with metadata. For example, if files are transferred, the argument
will take on the full path that the client is at along with the requested
file name.
:doc:`/scripts/base/protocols/ftp/utils.bro`
Utilities specific for FTP processing.
:doc:`/scripts/base/protocols/ftp/files.bro`
:doc:`/scripts/base/protocols/ftp/gridftp.bro`
A detection script for GridFTP data and control channels.
GridFTP control channels are identified by FTP control channels
that successfully negotiate the GSSAPI method of an AUTH request
and for which the exchange involved an encoded TLS/SSL handshake,
indicating the GSI mechanism for GSSAPI was used. This analysis
is all supported internally, this script simply adds the "gridftp"
label to the *service* field of the control channel's
:bro:type:`connection` record.
GridFTP data channels are identified by a heuristic that relies on
the fact that default settings for GridFTP clients typically
mutually authenticate the data channel with TLS/SSL and negotiate a
NULL bulk cipher (no encryption). Connections with those attributes
are marked as GridFTP if the data transfer within the first two minutes
is big enough to indicate a GripFTP data channel that would be
undesirable to analyze further (e.g. stop TCP reassembly). A side
effect is that true connection sizes are not logged, but at the benefit
of saving CPU cycles that would otherwise go to analyzing the large
(and likely benign) connections.

132
doc/scripts/base/protocols/ftp/info.bro.rst
View file

@ -1,132 +0,0 @@
:tocdepth: 3
base/protocols/ftp/info.bro
===========================
.. bro:namespace:: FTP
Defines data structures for tracking and logging FTP sessions.
:Namespace: FTP
:Imports: :doc:`base/protocols/ftp/utils-commands.bro </scripts/base/protocols/ftp/utils-commands.bro>`
Summary
~~~~~~~
Runtime Options
###############
============================================================================ ==========================================================
:bro:id:`FTP::default_capture_password`: :bro:type:`bool` :bro:attr:`&redef` This setting changes if passwords used in FTP sessions are
captured or not.
============================================================================ ==========================================================
Types
#####
======================================================== ==============================================
:bro:type:`FTP::ExpectedDataChannel`: :bro:type:`record` The expected endpoints of an FTP data channel.
:bro:type:`FTP::Info`: :bro:type:`record`
======================================================== ==============================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: FTP::default_capture_password
:Type: :bro:type:`bool`
:Attributes: :bro:attr:`&redef`
:Default: ``F``
This setting changes if passwords used in FTP sessions are
captured or not.
Types
#####
.. bro:type:: FTP::ExpectedDataChannel
:Type: :bro:type:`record`
passive: :bro:type:`bool` :bro:attr:`&log`
Whether PASV mode is toggled for control channel.
orig_h: :bro:type:`addr` :bro:attr:`&log`
The host that will be initiating the data connection.
resp_h: :bro:type:`addr` :bro:attr:`&log`
The host that will be accepting the data connection.
resp_p: :bro:type:`port` :bro:attr:`&log`
The port at which the acceptor is listening for the data
connection.
The expected endpoints of an FTP data channel.
.. bro:type:: FTP::Info
:Type: :bro:type:`record`
ts: :bro:type:`time` :bro:attr:`&log`
Time when the command was sent.
uid: :bro:type:`string` :bro:attr:`&log`
Unique ID for the connection.
id: :bro:type:`conn_id` :bro:attr:`&log`
The connection's 4-tuple of endpoint addresses/ports.
user: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&default` = ``"<unknown>"`` :bro:attr:`&optional`
User name for the current FTP session.
password: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Password for the current FTP session if captured.
command: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Command given by the client.
arg: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Argument for the command if one is given.
mime_type: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Sniffed mime type of file.
file_size: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Size of the file if the command indicates a file transfer.
reply_code: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
Reply code from the server in response to the command.
reply_msg: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
Reply message from the server in response to the command.
data_channel: :bro:type:`FTP::ExpectedDataChannel` :bro:attr:`&log` :bro:attr:`&optional`
Expected FTP data channel.
cwd: :bro:type:`string` :bro:attr:`&default` = ``"."`` :bro:attr:`&optional`
Current working directory that this session is in. By making
the default value '.', we can indicate that unless something
more concrete is discovered that the existing but unknown
directory is ok to use.
cmdarg: :bro:type:`FTP::CmdArg` :bro:attr:`&optional`
Command that is currently waiting for a response.
pending_commands: :bro:type:`FTP::PendingCmds`
Queue for commands that have been sent but not yet responded
to are tracked here.
passive: :bro:type:`bool` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
Indicates if the session is in active or passive mode.
capture_password: :bro:type:`bool` :bro:attr:`&default` = :bro:see:`FTP::default_capture_password` :bro:attr:`&optional`
Determines if the password will be captured for this request.
fuid: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
(present if :doc:`/scripts/base/protocols/ftp/files.bro` is loaded)
File unique ID.
last_auth_requested: :bro:type:`string` :bro:attr:`&optional`
(present if :doc:`/scripts/base/protocols/ftp/gridftp.bro` is loaded)

128
doc/scripts/base/protocols/ftp/main.bro.rst
View file

@ -1,128 +0,0 @@
:tocdepth: 3
base/protocols/ftp/main.bro
===========================
.. bro:namespace:: FTP
The logging this script does is primarily focused on logging FTP commands
along with metadata. For example, if files are transferred, the argument
will take on the full path that the client is at along with the requested
file name.
:Namespace: FTP
:Imports: :doc:`base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>`, :doc:`base/protocols/ftp/utils-commands.bro </scripts/base/protocols/ftp/utils-commands.bro>`, :doc:`base/protocols/ftp/utils.bro </scripts/base/protocols/ftp/utils.bro>`, :doc:`base/utils/addrs.bro </scripts/base/utils/addrs.bro>`, :doc:`base/utils/numbers.bro </scripts/base/utils/numbers.bro>`, :doc:`base/utils/paths.bro </scripts/base/utils/paths.bro>`
Summary
~~~~~~~
Runtime Options
###############
================================================================== ======================================================================
:bro:id:`FTP::guest_ids`: :bro:type:`set` :bro:attr:`&redef` User IDs that can be considered "anonymous".
:bro:id:`FTP::logged_commands`: :bro:type:`set` :bro:attr:`&redef` List of commands that should have their command/response pairs logged.
================================================================== ======================================================================
Types
#####
============================================== ===============================================
:bro:type:`FTP::ReplyCode`: :bro:type:`record` This record is to hold a parsed FTP reply code.
============================================== ===============================================
Redefinitions
#############
================================================================= ===========================================
:bro:type:`Log::ID`: :bro:type:`enum` The FTP protocol logging stream identifier.
:bro:type:`connection`: :bro:type:`record`
:bro:id:`likely_server_ports`: :bro:type:`set` :bro:attr:`&redef`
================================================================= ===========================================
Events
######
========================================= =============================================================
:bro:id:`FTP::log_ftp`: :bro:type:`event` Event that can be handled to access the :bro:type:`FTP::Info`
record as it is sent on to the logging framework.
========================================= =============================================================
Functions
#########
========================================================= =====================================================================
:bro:id:`FTP::parse_ftp_reply_code`: :bro:type:`function` Parse FTP reply codes into the three constituent single digit values.
========================================================= =====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: FTP::guest_ids
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
"ftpuser",
"ftp",
"guest",
"anonymous"
}
User IDs that can be considered "anonymous".
.. bro:id:: FTP::logged_commands
:Type: :bro:type:`set` [:bro:type:`string`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
"RETR",
"EPSV",
"EPRT",
"DELE",
"PORT",
"PASV",
"STOR",
"APPE",
"STOU",
"ACCT"
}
List of commands that should have their command/response pairs logged.
Types
#####
.. bro:type:: FTP::ReplyCode
:Type: :bro:type:`record`
x: :bro:type:`count`
y: :bro:type:`count`
z: :bro:type:`count`
This record is to hold a parsed FTP reply code. For example, for the
201 status code, the digits would be parsed as: x->2, y->0, z->1.
Events
######
.. bro:id:: FTP::log_ftp
:Type: :bro:type:`event` (rec: :bro:type:`FTP::Info`)
Event that can be handled to access the :bro:type:`FTP::Info`
record as it is sent on to the logging framework.
Functions
#########
.. bro:id:: FTP::parse_ftp_reply_code
:Type: :bro:type:`function` (code: :bro:type:`count`) : :bro:type:`FTP::ReplyCode`
Parse FTP reply codes into the three constituent single digit values.

397
doc/scripts/base/protocols/ftp/utils-commands.bro.rst
View file

@ -1,397 +0,0 @@
:tocdepth: 3
base/protocols/ftp/utils-commands.bro
=====================================
.. bro:namespace:: FTP
:Namespace: FTP
Summary
~~~~~~~
Runtime Options
###############
================================================================= ===========================================================
:bro:id:`FTP::cmd_reply_code`: :bro:type:`set` :bro:attr:`&redef` Possible response codes for a wide variety of FTP commands.
================================================================= ===========================================================
Types
#####
=============================================== ====================================================================
:bro:type:`FTP::CmdArg`: :bro:type:`record`
:bro:type:`FTP::PendingCmds`: :bro:type:`table` Structure for tracking pending commands in the event that the client
sends a large number of commands before the server has a chance to
reply.
=============================================== ====================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Runtime Options
###############
.. bro:id:: FTP::cmd_reply_code
:Type: :bro:type:`set` [:bro:type:`string`, :bro:type:`count`]
:Attributes: :bro:attr:`&redef`
:Default:
::
{
["STRU", 501] ,
["SITE", 501] ,
["LIST", 530] ,
["PASS", 230] ,
["<init>", 421] ,
["STOR", 500] ,
["PASS", 202] ,
["ACCT", 500] ,
["RETR", 125] ,
["PWD", 550] ,
["NLST", 550] ,
["HELP", 502] ,
["LIST", 451] ,
["CWD", 530] ,
["HELP", 211] ,
["STOU", 551] ,
["STOU", 452] ,
["SYST", 215] ,
["NLST", 530] ,
["RNFR", 350] ,
["STOU", 451] ,
["MLST", 150] ,
["EPRT", 522] ,
["ABOR", 500] ,
["REST", 502] ,
["TYPE", 200] ,
["RETR", 110] ,
["RNTO", 530] ,
["APPE", 250] ,
["RETR", 451] ,
["NLST", 226] ,
["NLST", 502] ,
["APPE", 552] ,
["HELP", 501] ,
["STOR", 250] ,
["STOU", 500] ,
["STOR", 451] ,
["STOU", 553] ,
["APPE", 150] ,
["MKD", 502] ,
["RETR", 226] ,
["PWD", 257] ,
["MLST", 226] ,
["STRU", 421] ,
["MLSD", 550] ,
["STRU", 200] ,
["MLST", 500] ,
["APPE", 451] ,
["STOR", 452] ,
["SMNT", 501] ,
["ACCT", 230] ,
["DELE", 500] ,
["SYST", 502] ,
["ALLO", 504] ,
["STAT", 530] ,
["APPE", 532] ,
["CDUP", 501] ,
["SMNT", 421] ,
["APPE", 226] ,
["REST", 530] ,
["LIST", 150] ,
["SYST", 500] ,
["SYST", 530] ,
["RNFR", 500] ,
["STAT", 500] ,
["STRU", 504] ,
["STOR", 532] ,
["REST", 200] ,
["MODE", 530] ,
["DELE", 450] ,
["CWD", 502] ,
["REIN", 220] ,
["RNTO", 553] ,
["STOU", 421] ,
["RETR", 501] ,
["LIST", 500] ,
["RNFR", 421] ,
["MODE", 421] ,
["FEAT", 502] ,
["MACB", 200] ,
["RETR", 550] ,
["MODE", 504] ,
["APPE", 425] ,
["ALLO", 202] ,
["OPTS", 501] ,
["STOU", 226] ,
["STAT", 421] ,
["REIN", 502] ,
["STRU", 530] ,
["MLSD", 501] ,
["CWD", 421] ,
["NOOP", 500] ,
["MLSD", 250] ,
["PASS", 530] ,
["RNTO", 532] ,
["ALLO", 421] ,
["USER", 331] ,
["MKD", 530] ,
["STAT", 212] ,
["REIN", 120] ,
["RNTO", 503] ,
["STAT", 450] ,
["APPE", 500] ,
["APPE", 530] ,
["SITE", 214] ,
["FEAT", 211] ,
["STOU", 450] ,
["STOR", 425] ,
["RMD", 502] ,
["ABOR", 502] ,
["STOU", 426] ,
["STAT", 501] ,
["STOR", 552] ,
["RMD", 501] ,
["STOU", 110] ,
["MLST", 250] ,
["RNTO", 502] ,
["STOR", 150] ,
["ALLO", 200] ,
["MDTM", 501] ,
["PWD", 502] ,
["RNTO", 501] ,
["RETR", 450] ,
["MDTM", 213] ,
["RNTO", 250] ,
["DELE", 550] ,
["MKD", 421] ,
["RNTO", 421] ,
["APPE", 452] ,
["PORT", 200] ,
["STOU", 501] ,
["RNFR", 502] ,
["NLST", 425] ,
["REIN", 421] ,
["STOU", 532] ,
["RETR", 425] ,
["STAT", 502] ,
["HELP", 214] ,
["ABOR", 421] ,
["MKD", 501] ,
["CDUP", 200] ,
["STAT", 211] ,
["ALLO", 530] ,
["APPE", 553] ,
["CDUP", 250] ,
["PASS", 421] ,
["<init>", 120] ,
["EPSV", 501] ,
["TYPE", 504] ,
["HELP", 500] ,
["STOU", 550] ,
["SIZE", 550] ,
["DELE", 502] ,
["RNFR", 501] ,
["STAT", 213] ,
["USER", 421] ,
["CDUP", 500] ,
["PASV", 530] ,
["LIST", 550] ,
["REIN", 500] ,
["NOOP", 421] ,
["EPSV", 229] ,
["<missing>", 0] ,
["SYST", 421] ,
["APPE", 426] ,
["ACCT", 421] ,
["RMD", 550] ,
["MLSD", 226] ,
["USER", 230] ,
["PASS", 500] ,
["NLST", 125] ,
["NLST", 450] ,
["RMD", 530] ,
["STOR", 553] ,
["ACCT", 503] ,
["STOU", 425] ,
["MODE", 200] ,
["RMD", 250] ,
["PORT", 530] ,
["APPE", 501] ,
["HELP", 421] ,
["LPRT", 501] ,
["STOU", 250] ,
["STOU", 150] ,
["RMD", 421] ,
["HELP", 200] ,
["CLNT", 500] ,
["LIST", 125] ,
["CWD", 501] ,
["RNFR", 550] ,
["MLST", 550] ,
["CDUP", 502] ,
["SITE", 530] ,
["RETR", 421] ,
["RNTO", 500] ,
["RETR", 250] ,
["SITE", 202] ,
["STOR", 530] ,
["SMNT", 502] ,
["TYPE", 500] ,
["LIST", 426] ,
["APPE", 125] ,
["MDTM", 500] ,
["<init>", 0] ,
["LIST", 250] ,
["DELE", 250] ,
["MKD", 257] ,
["PASS", 332] ,
["PWD", 500] ,
["LIST", 226] ,
["FEAT", 500] ,
["NLST", 500] ,
["NLST", 501] ,
["EPRT", 500] ,
["DELE", 530] ,
["LIST", 502] ,
["APPE", 421] ,
["USER", 332] ,
["EPRT", 501] ,
["PORT", 500] ,
["SMNT", 250] ,
["STOU", 552] ,
["APPE", 550] ,
["STRU", 500] ,
["MLSD", 150] ,
["OPTS", 200] ,
["MODE", 501] ,
["NLST", 250] ,
["SIZE", 501] ,
["ACCT", 202] ,
["MKD", 500] ,
["SITE", 200] ,
["QUIT", 500] ,
["STOR", 426] ,
["LIST", 421] ,
["RETR", 150] ,
["MODE", 502] ,
["RMD", 500] ,
["NLST", 421] ,
["<init>", 220] ,
["PORT", 421] ,
["CWD", 250] ,
["RNFR", 450] ,
["STOR", 125] ,
["CLNT", 200] ,
["PASS", 501] ,
["PASV", 421] ,
["REST", 501] ,
["RNFR", 530] ,
["SMNT", 500] ,
["SMNT", 530] ,
["SITE", 502] ,
["APPE", 502] ,
["REST", 421] ,
["USER", 530] ,
["STOR", 550] ,
["MLST", 501] ,
["STOR", 551] ,
["OPTS", 451] ,
["SYST", 501] ,
["LPRT", 521] ,
["PORT", 501] ,
["NOOP", 200] ,
["APPE", 450] ,
["DELE", 501] ,
["ABOR", 225] ,
["PASV", 500] ,
["NLST", 150] ,
["CDUP", 530] ,
["PWD", 421] ,
["TYPE", 421] ,
["ABOR", 501] ,
["RETR", 500] ,
["ACCT", 530] ,
["STOR", 501] ,
["STOR", 226] ,
["RETR", 426] ,
["QUIT", 221] ,
["CDUP", 550] ,
["STOR", 450] ,
["NLST", 451] ,
["SITE", 500] ,
["SIZE", 213] ,
["STOR", 421] ,
["MACB", 550] ,
["PASV", 501] ,
["CWD", 500] ,
["ALLO", 501] ,
["PASV", 502] ,
["CDUP", 421] ,
["DELE", 421] ,
["SIZE", 500] ,
["PASV", 227] ,
["PWD", 501] ,
["REST", 350] ,
["NLST", 426] ,
["STOU", 530] ,
["USER", 501] ,
["USER", 500] ,
["PASS", 503] ,
["REST", 500] ,
["MLSD", 500] ,
["MACB", 500] ,
["SMNT", 550] ,
["RETR", 530] ,
["STOU", 125] ,
["TYPE", 501] ,
["CWD", 550] ,
["MKD", 550] ,
["STOR", 110] ,
["SMNT", 202] ,
["MDTM", 550] ,
["ABOR", 226] ,
["EPRT", 200] ,
["MODE", 500] ,
["ACCT", 501] ,
["EPSV", 500] ,
["QUIT", 0] ,
["ALLO", 500] ,
["LIST", 501] ,
["TYPE", 530] ,
["APPE", 551] ,
["LIST", 425] ,
["LPRT", 500] ,
["LIST", 450]
}
Possible response codes for a wide variety of FTP commands.
Types
#####
.. bro:type:: FTP::CmdArg
:Type: :bro:type:`record`
ts: :bro:type:`time`
Time when the command was sent.
cmd: :bro:type:`string` :bro:attr:`&default` = ``"<unknown>"`` :bro:attr:`&optional`
Command.
arg: :bro:type:`string` :bro:attr:`&default` = ``""`` :bro:attr:`&optional`
Argument for the command if one was given.
seq: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
Counter to track how many commands have been executed.
.. bro:type:: FTP::PendingCmds
:Type: :bro:type:`table` [:bro:type:`count`] of :bro:type:`FTP::CmdArg`
Structure for tracking pending commands in the event that the client
sends a large number of commands before the server has a chance to
reply.

57
doc/scripts/base/protocols/ftp/utils.bro.rst
View file

@ -1,57 +0,0 @@
:tocdepth: 3
base/protocols/ftp/utils.bro
============================
.. bro:namespace:: FTP
Utilities specific for FTP processing.
:Namespace: FTP
:Imports: :doc:`base/protocols/ftp/info.bro </scripts/base/protocols/ftp/info.bro>`, :doc:`base/utils/addrs.bro </scripts/base/utils/addrs.bro>`, :doc:`base/utils/paths.bro </scripts/base/utils/paths.bro>`
Summary
~~~~~~~
Functions
#########
================================================== ===========================================================
:bro:id:`FTP::build_url`: :bro:type:`function` Creates a URL from an :bro:type:`FTP::Info` record.
:bro:id:`FTP::build_url_ftp`: :bro:type:`function` Creates a URL from an :bro:type:`FTP::Info` record.
:bro:id:`FTP::describe`: :bro:type:`function` Create an extremely shortened representation of a log line.
================================================== ===========================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Functions
#########
.. bro:id:: FTP::build_url
:Type: :bro:type:`function` (rec: :bro:type:`FTP::Info`) : :bro:type:`string`
Creates a URL from an :bro:type:`FTP::Info` record.
:rec: An :bro:type:`FTP::Info` record.
:returns: A URL, not prefixed by ``"ftp://"``.
.. bro:id:: FTP::build_url_ftp
:Type: :bro:type:`function` (rec: :bro:type:`FTP::Info`) : :bro:type:`string`
Creates a URL from an :bro:type:`FTP::Info` record.
:rec: An :bro:type:`FTP::Info` record.
:returns: A URL prefixed with ``"ftp://"``.
.. bro:id:: FTP::describe
:Type: :bro:type:`function` (rec: :bro:type:`FTP::Info`) : :bro:type:`string`
Create an extremely shortened representation of a log line.