Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ftp: Reset fuid after logging

Browse source 
A user reported being confused about the fuid association of subsequent
FTP commands when a data transfer has completed. It seems reasonable to
unset fuid upon logging a FTP command which had a fuid.

The current behavior results in the PORT or PASV commands after a RETR or STOR
to have the fuid of the prior file transfer. Similarly, any CWD or DEL commands
following a file transfer will unnecessarily be logged with the fuid of the
prior file transfer.

This tickles the baselines for the private testing PCAP a lot, primarily
because there data connections in that pcap are never established properly.
E.g, the fuids FzDzid1Dxm9srVKHXf and FEfYX73q5C6GEQZXX9 have been re-used
for multiple commands.

This may look like we're losing information, but the fuids vanishing
in the normal btests belong to a LIST command that isn't logged by
default into ftp.log. If it was, the fuid would be attached to it.
This commit is contained in:
Arne Welzel 2024-02-20 20:16:03 +01:00
parent 6de51f0d7a
commit 31b548babc
8 changed files with 21 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

3
scripts/base/protocols/ftp/main.zeek
View file

@ -212,8 +212,9 @@ function ftp_message(c: connection)
# values after logging.
delete s$mime_type;
delete s$file_size;
# Same with data channel.
# Same with data channel and fuid;
delete s$data_channel;
delete s$fuid;
}
event sync_add_expected_data(s: Info, chan: ExpectedDataChannel) &is_used