From 6b864d5dd24830672e2cdb030ab64e78f5f36d38 Mon Sep 17 00:00:00 2001 From: Justin Azoff Date: Thu, 21 Sep 2017 10:50:26 -0400 Subject: [PATCH] problem: gridftp threshold is being applied to all connections The bytes_threshold_crossed event in the gridftp analyzer is not first checking to see if the connection passed the initial criteria. This causes the script to add the gridftp-data service to any connection that crosses a threshold that is the same as or greater than the gridftp size_threshold. --- scripts/base/protocols/ftp/gridftp.bro | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/base/protocols/ftp/gridftp.bro b/scripts/base/protocols/ftp/gridftp.bro index 68be66d53a..5090eebb3d 100644 --- a/scripts/base/protocols/ftp/gridftp.bro +++ b/scripts/base/protocols/ftp/gridftp.bro @@ -74,6 +74,8 @@ event ConnThreshold::bytes_threshold_crossed(c: connection, threshold: count, is { if ( threshold < size_threshold || "gridftp-data" in c$service || c$duration > max_time ) return; + if ( ! data_channel_initial_criteria(c) ) + return; add c$service["gridftp-data"]; event GridFTP::data_channel_detected(c);