diff --git a/scripts/base/protocols/ftp/file-analysis.bro b/scripts/base/protocols/ftp/file-analysis.bro index 9a435cb8ec..9131be6ab2 100644 --- a/scripts/base/protocols/ftp/file-analysis.bro +++ b/scripts/base/protocols/ftp/file-analysis.bro @@ -14,9 +14,29 @@ export { ## Default file handle provider for FTP. function get_file_handle(c: connection, is_orig: bool): string { - if ( is_orig ) return ""; - return fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time, - id_string(c$id)); + if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected ) return ""; + + local info: FTP::Info = ftp_data_expected[c$id$resp_h, c$id$resp_p]; + + local rval = fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time, + id_string(c$id)); + + if ( info$passive ) + # FTP client initiates data channel. + if ( is_orig ) + # Don't care about FTP client data. + return ""; + else + # Do care about FTP server data. + return rval; + else + # FTP server initiates dta channel. + if ( is_orig ) + # Do care about FTP server data. + return rval; + else + # Don't care about FTP client data. + return ""; } } diff --git a/scripts/base/protocols/ftp/file-extract.bro b/scripts/base/protocols/ftp/file-extract.bro index 7cee4995ba..e1e0044efb 100644 --- a/scripts/base/protocols/ftp/file-extract.bro +++ b/scripts/base/protocols/ftp/file-extract.bro @@ -13,54 +13,96 @@ export { const extraction_prefix = "ftp-item" &redef; } +global extract_count: count = 0; + redef record Info += { ## On disk file where it was extracted to. - extraction_file: file &log &optional; + extraction_file: string &log &optional; ## Indicates if the current command/response pair should attempt to ## extract the file if a file was transferred. extract_file: bool &default=F; - - ## Internal tracking of the total number of files extracted during this - ## session. - num_extracted_files: count &default=0; }; -event file_transferred(c: connection, prefix: string, descr: string, - mime_type: string) &priority=3 +hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + &priority=5 { - local id = c$id; - if ( [id$resp_h, id$resp_p] !in ftp_data_expected ) - return; - - local s = ftp_data_expected[id$resp_h, id$resp_p]; + if ( trig != FileAnalysis::TRIGGER_NEW ) return; + if ( ! info?$source ) return; + if ( info$source != "FTP_DATA" ) return; + if ( ! info?$conns ) return; - if ( extract_file_types in s$mime_type ) + local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, info$file_id, + extract_count); + local extracting: bool = F; + + for ( cid in info$conns ) { - s$extract_file = T; - ++s$num_extracted_files; + local c: connection = info$conns[cid]; + + if ( [cid$resp_h, cid$resp_p] !in ftp_data_expected ) next; + + local s = ftp_data_expected[cid$resp_h, cid$resp_p]; + + if ( ! s$extract_file ) next; + + if ( ! extracting ) + { + FileAnalysis::add_action(info$file_id, + [$act=FileAnalysis::ACTION_EXTRACT, + $extract_filename=fname]); + extracting = T; + ++extract_count; + } } } -event file_transferred(c: connection, prefix: string, descr: string, - mime_type: string) &priority=-4 +hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + &priority=5 { - local id = c$id; - if ( [id$resp_h, id$resp_p] !in ftp_data_expected ) - return; - - local s = ftp_data_expected[id$resp_h, id$resp_p]; - - if ( s$extract_file ) - { - local suffix = fmt("%d.dat", s$num_extracted_files); - local fname = generate_extraction_filename(extraction_prefix, c, suffix); - s$extraction_file = open(fname); - if ( s$passive ) - set_contents_file(id, CONTENTS_RESP, s$extraction_file); - else - set_contents_file(id, CONTENTS_ORIG, s$extraction_file); - } + if ( trig != FileAnalysis::TRIGGER_TYPE ) return; + if ( ! info?$mime_type ) return; + if ( ! info?$source ) return; + if ( info$source != "FTP_DATA" ) return; + if ( extract_file_types !in info$mime_type ) return; + + for ( act in info$actions ) + if ( act$act == FileAnalysis::ACTION_EXTRACT ) return; + + local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, info$file_id, + extract_count); + ++extract_count; + FileAnalysis::add_action(info$file_id, [$act=FileAnalysis::ACTION_EXTRACT, + $extract_filename=fname]); + } + +hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + &priority=5 + { + if ( trig != FileAnalysis::TRIGGER_EOF && + trig != FileAnalysis::TRIGGER_DONE ) return; + if ( ! info?$source ) return; + if ( info$source != "FTP_DATA" ) return; + + for ( act in info$actions ) + if ( act$act == FileAnalysis::ACTION_EXTRACT ) + { + local s: FTP::Info; + s$ts = network_time(); + s$tags = set(); + s$user = ""; + s$extraction_file = act$extract_filename; + + if ( info?$conns ) + for ( cid in info$conns ) + { + s$uid = info$conns[cid]$uid; + s$id = cid; + break; + } + + Log::write(FTP::LOG, s); + } } event log_ftp(rec: Info) &priority=-10 diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index 893ab7ce50..94a3b1f222 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -16,7 +16,8 @@ export { ## List of commands that should have their command/response pairs logged. const logged_commands = { - "APPE", "DELE", "RETR", "STOR", "STOU", "ACCT" + "APPE", "DELE", "RETR", "STOR", "STOU", "ACCT", "PORT", "PASV", "EPRT", + "EPSV" } &redef; ## This setting changes if passwords used in FTP sessions are captured or not. @@ -24,6 +25,18 @@ export { ## User IDs that can be considered "anonymous". const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef; + + ## The expected endpoints of an FTP data channel. + type ExpectedDataChannel: record { + ## Whether PASV mode is toggled for control channel. + passive: bool &log; + ## The host that will be initiating the data connection. + orig_h: addr &log; + ## The host that will be accepting the data connection. + resp_h: addr &log; + ## The port at which the acceptor is listening for the data connection. + resp_p: port &log; + }; type Info: record { ## Time when the command was sent. @@ -54,7 +67,10 @@ export { reply_msg: string &log &optional; ## Arbitrary tags that may indicate a particular attribute of this command. tags: set[string] &log &default=set(); - + + ## Expected FTP data channel. + data_channel: ExpectedDataChannel &log &optional; + ## Current working directory that this session is in. By making ## the default value '/.', we can indicate that unless something ## more concrete is discovered that the existing but unknown @@ -103,7 +119,7 @@ redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] }; redef likely_server_ports += { 21/tcp, 2811/tcp }; # Establish the variable for tracking expected connections. -global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; +global ftp_data_expected: table[addr, port] of Info &read_expire=5mins; event bro_init() &priority=5 { @@ -180,7 +196,7 @@ function ftp_message(s: Info) delete s$arg; else s$arg=arg; - + Log::write(FTP::LOG, s); } @@ -190,8 +206,19 @@ function ftp_message(s: Info) delete s$mime_type; delete s$mime_desc; delete s$file_size; + # Same with data channel. + delete s$data_channel; # Tags are cleared everytime too. - delete s$tags; + s$tags = set(); + } + +function add_expected_data_channel(s: Info, chan: ExpectedDataChannel) + { + s$passive = chan$passive; + s$data_channel = chan; + ftp_data_expected[chan$resp_h, chan$resp_p] = s; + expect_connection(chan$orig_h, chan$resp_h, chan$resp_p, ANALYZER_FTP_DATA, + 5mins); } event ftp_request(c: connection, command: string, arg: string) &priority=5 @@ -226,10 +253,8 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5 if ( data$valid ) { - c$ftp$passive=F; - ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$resp_h, data$h, data$p, ANALYZER_FTP_DATA, - 5mins); + add_expected_data_channel(c$ftp, [$passive=F, $orig_h=id$resp_h, + $resp_h=data$h, $resp_p=data$p]); } else { @@ -280,10 +305,9 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior if ( code == 229 && data$h == [::] ) data$h = id$resp_h; - - ftp_data_expected[data$h, data$p] = c$ftp; - expect_connection(id$orig_h, data$h, data$p, ANALYZER_FTP_DATA, - 5mins); + + add_expected_data_channel(c$ftp, [$passive=T, $orig_h=id$orig_h, + $resp_h=data$h, $resp_p=data$p]); } else { @@ -333,14 +357,13 @@ event file_transferred(c: connection, prefix: string, descr: string, } } -event file_transferred(c: connection, prefix: string, descr: string, - mime_type: string) &priority=-5 +event connection_state_remove(c: connection) &priority=-5 { local id = c$id; if ( [id$resp_h, id$resp_p] in ftp_data_expected ) delete ftp_data_expected[id$resp_h, id$resp_p]; } - + # Use state remove event to cover connections terminated by RST. event connection_state_remove(c: connection) &priority=-5 { diff --git a/scripts/base/protocols/smtp/entities.bro b/scripts/base/protocols/smtp/entities.bro index e67fa7d5e0..d009068ad0 100644 --- a/scripts/base/protocols/smtp/entities.bro +++ b/scripts/base/protocols/smtp/entities.bro @@ -43,9 +43,6 @@ export { }; redef record State += { - ## Store a count of the number of files that have been transferred in - ## a conversation to create unique file names on disk. - num_extracted_files: count &default=0; ## Track the number of MIME encoded files transferred during a session. mime_level: count &default=0; }; diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/conn.log new file mode 100644 index 0000000000..52f7d90401 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/conn.log @@ -0,0 +1,14 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2013-03-27-17-47-03 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool count string count count count count table[string] +1329843175.736107 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty) +1329843179.871641 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty) +1329843194.151526 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 (empty) +1329843197.783443 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 (empty) +1329843161.968492 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 (empty) +#close 2013-03-27-17-47-03 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat new file mode 100644 index 0000000000..a59965e6f6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat @@ -0,0 +1,5 @@ +User-agent: * +Disallow: *.tgz +Disallow: *.gz +Disallow: *.tbz +Disallow: *.bz2 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat new file mode 100644 index 0000000000..8bd2e31300 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat @@ -0,0 +1,6 @@ +total 98028 +lrwxrwxr-x 1 root wheel 32 Aug 16 2009 .message -> pub/NetBSD/README.export-control +drwxr-x--x 3 root wheel 512 Aug 16 2009 etc +-rw-rw-r-- 1 600 netbsd 50158695 Feb 21 03:10 ls-lRA.gz +drwxr-xr-x 7 root wheel 512 Aug 20 2009 pub +-rw-rw-r-- 1 root wheel 77 Aug 16 2009 robots.txt diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat new file mode 100644 index 0000000000..8bd2e31300 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat @@ -0,0 +1,6 @@ +total 98028 +lrwxrwxr-x 1 root wheel 32 Aug 16 2009 .message -> pub/NetBSD/README.export-control +drwxr-x--x 3 root wheel 512 Aug 16 2009 etc +-rw-rw-r-- 1 600 netbsd 50158695 Feb 21 03:10 ls-lRA.gz +drwxr-xr-x 7 root wheel 512 Aug 20 2009 pub +-rw-rw-r-- 1 root wheel 77 Aug 16 2009 robots.txt diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat new file mode 100644 index 0000000000..a59965e6f6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat @@ -0,0 +1,5 @@ +User-agent: * +Disallow: *.tgz +Disallow: *.gz +Disallow: *.tbz +Disallow: *.bz2 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log new file mode 100644 index 0000000000..89526602c2 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log @@ -0,0 +1,21 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ftp +#open 2013-03-27-17-47-03 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p extraction_file +#types time string addr port addr port string string string string string string count count string table[string] bool addr addr port string +1329843175.680248 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - - 227 Entering Passive Mode (199,233,217,249,221,90) (empty) T 141.142.220.235 199.233.217.249 56666 - +1329843175.791528 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - - 226 Transfer complete. (empty) - - - - - +1329843179.815947 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - - 227 Entering Passive Mode (199,233,217,249,221,91) (empty) T 141.142.220.235 199.233.217.249 56667 - +1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 - - - - - - - - (empty) - - - - ftp-item-Rqjkzoroau4-0.dat +1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 - - - - - - - - (empty) - - - - ftp-item-BTsa70Ua9x7-1.dat +1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text 77 226 Transfer complete. (empty) - - - - - +1329843194.040188 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,131,46 - - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 33582 - +1329843194.095782 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - - 226 Transfer complete. (empty) - - - - - +1329843197.672179 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,147,203 - - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 37835 - +1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 - - - - - - - - (empty) - - - - ftp-item-VLQvJybrm38-2.dat +1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text, with CRLF line terminators 77 226 Transfer complete. (empty) - - - - - +1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 - - - - - - - - (empty) - - - - ftp-item-zrfwSs9K1yk-3.dat +#close 2013-03-27-17-47-03 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/ftp.log index 0d0a8f57f1..6b05d924d3 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/ftp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/ftp.log @@ -3,9 +3,13 @@ #empty_field (empty) #unset_field - #path ftp -#open 2012-02-21-16-53-13 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags extraction_file -#types time string addr port addr port string string string string string string count count string table[string] file -1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text 77 226 Transfer complete. - - -1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text, with CRLF line terminators 77 226 Transfer complete. - - -#close 2012-02-21-16-53-20 +#open 2013-03-27-17-47-22 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p extraction_file +#types time string addr port addr port string string string string string string count count string table[string] bool addr addr port string +1329843175.680248 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - - 227 Entering Passive Mode (199,233,217,249,221,90) (empty) T 141.142.220.235 199.233.217.249 56666 - +1329843179.815947 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - - 227 Entering Passive Mode (199,233,217,249,221,91) (empty) T 141.142.220.235 199.233.217.249 56667 - +1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text 77 226 Transfer complete. (empty) - - - - - +1329843194.040188 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,131,46 - - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 33582 - +1329843197.672179 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,147,203 - - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 37835 - +1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text, with CRLF line terminators 77 226 Transfer complete. (empty) - - - - - +#close 2013-03-27-17-47-22 diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log index 62ea4df18d..ea0c07a0c9 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log @@ -3,9 +3,14 @@ #empty_field (empty) #unset_field - #path ftp -#open 2012-02-15-17-43-07 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags extraction_file -#types time string addr port addr port string string string string string string count count string table[string] file -1329327787.396984 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://[2001:470:4867:99::21]/robots.txt - - 77 226 Transfer complete. - - -1329327795.463946 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://[2001:470:4867:99::21]/robots.txt - - 77 226 Transfer complete. - - -#close 2012-02-15-17-43-24 +#open 2013-03-27-17-50-35 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p extraction_file +#types time string addr port addr port string string string string string string count count string table[string] bool addr addr port string +1329327783.207785 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test EPSV - - - - 229 Entering Extended Passive Mode (|||57086|) (empty) T 2001:470:1f11:81f:c999:d94:aa7c:2e3e 2001:470:4867:99::21 57086 - +1329327786.415755 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test EPSV - - - - 229 Entering Extended Passive Mode (|||57087|) (empty) T 2001:470:1f11:81f:c999:d94:aa7c:2e3e 2001:470:4867:99::21 57087 - +1329327787.180814 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test EPSV - - - - 229 Entering Extended Passive Mode (|||57088|) (empty) T 2001:470:1f11:81f:c999:d94:aa7c:2e3e 2001:470:4867:99::21 57088 - +1329327787.396984 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://[2001:470:4867:99::21]/robots.txt - - 77 226 Transfer complete. (empty) - - - - - +1329327795.355248 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test EPRT |2|2001:470:1f11:81f:c999:d94:aa7c:2e3e|49189| - - - 200 EPRT command successful. (empty) F 2001:470:4867:99::21 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49189 - +1329327795.463946 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://[2001:470:4867:99::21]/robots.txt - - 77 226 Transfer complete. (empty) - - - - - +1329327799.799327 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test EPRT |2|2001:470:1f11:81f:c999:d94:aa7c:2e3e|49190| - - - 200 EPRT command successful. (empty) F 2001:470:4867:99::21 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49190 - +#close 2013-03-27-17-50-35 diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro b/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro new file mode 100644 index 0000000000..9ae5280757 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ftp/ftp-extract.bro @@ -0,0 +1,12 @@ +# This tests FTP file extraction. +# +# @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ftp.log +# @TEST-EXEC: btest-diff ftp-item-Rqjkzoroau4-0.dat +# @TEST-EXEC: btest-diff ftp-item-BTsa70Ua9x7-1.dat +# @TEST-EXEC: btest-diff ftp-item-VLQvJybrm38-2.dat +# @TEST-EXEC: btest-diff ftp-item-zrfwSs9K1yk-3.dat + +redef FTP::logged_commands += {"LIST"}; +redef FTP::extract_file_types=/.*/;