FileAnalysis: replace script-layer FTP file analysis.

The notable difference here is that ftp.log now logs by default
the PORT, PASV, EPRT, EPSV commands as well as a separate line for
ftp-data channels in which file extraction was requested.

This difference isn't a direct result of now doing the file extraction
through the file analysis framework, it's just because I noticed even
the old way of tracking extracted-file name didn't work right and this
was the way I came up with so that a locally extracted file can be
associated with a data channel and then that data channel associated
with a control channel.

scripts/base/protocols/ftp/file-analysis.bro

@@ -14,9 +14,29 @@ export {
 	## Default file handle provider for FTP.
 	function get_file_handle(c: connection, is_orig: bool): string
 		{
-		if ( is_orig ) return "";
-		return fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time,
-		           id_string(c$id));
+		if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected ) return "";
+
+		local info: FTP::Info = ftp_data_expected[c$id$resp_h, c$id$resp_p];
+
+		local rval = fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time,
+		                 id_string(c$id));
+
+		if ( info$passive )
+			# FTP client initiates data channel.
+			if ( is_orig )
+				# Don't care about FTP client data.
+				return "";
+			else
+				# Do care about FTP server data.
+				return rval;
+		else
+			# FTP server initiates dta channel.
+			if ( is_orig )
+				# Do care about FTP server data.
+				return rval;
+			else
+				# Don't care about FTP client data.
+				return "";
 		}
 }
 

scripts/base/protocols/ftp/file-extract.bro

@@ -13,54 +13,96 @@ export {
 	const extraction_prefix = "ftp-item" &redef;
 }
 
+global extract_count: count = 0;
+
 redef record Info += {
 	## On disk file where it was extracted to.
-	extraction_file:       file &log &optional;
+	extraction_file:       string &log &optional;
 	
 	## Indicates if the current command/response pair should attempt to 
 	## extract the file if a file was transferred.
 	extract_file:          bool &default=F;
-	
-	## Internal tracking of the total number of files extracted during this 
-	## session.
-	num_extracted_files:   count &default=0;
 };
 
-event file_transferred(c: connection, prefix: string, descr: string,
-			mime_type: string) &priority=3
+hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
+	&priority=5
 	{
-	local id = c$id;
-	if ( [id$resp_h, id$resp_p] !in ftp_data_expected )
-		return;
-		
-	local s = ftp_data_expected[id$resp_h, id$resp_p];
+	if ( trig != FileAnalysis::TRIGGER_NEW ) return;
+	if ( ! info?$source ) return;
+	if ( info$source != "FTP_DATA" ) return;
+	if ( ! info?$conns ) return;
 
-	if ( extract_file_types in s$mime_type )
+	local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, info$file_id,
+	                          extract_count);
+	local extracting: bool = F;
+
+	for ( cid in info$conns )
 		{
-		s$extract_file = T;
-		++s$num_extracted_files;
+		local c: connection = info$conns[cid];
+
+		if ( [cid$resp_h, cid$resp_p] !in ftp_data_expected ) next;
+
+		local s = ftp_data_expected[cid$resp_h, cid$resp_p];
+
+		if ( ! s$extract_file ) next;
+
+		if ( ! extracting )
+			{
+			FileAnalysis::add_action(info$file_id,
+			                         [$act=FileAnalysis::ACTION_EXTRACT,
+			                          $extract_filename=fname]);
+			extracting = T;
+			++extract_count;
+			}
 		}
 	}
 
-event file_transferred(c: connection, prefix: string, descr: string,
-			mime_type: string) &priority=-4
+hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
+	&priority=5
 	{
-	local id = c$id;
-	if ( [id$resp_h, id$resp_p] !in ftp_data_expected )
-		return;
-		
-	local s = ftp_data_expected[id$resp_h, id$resp_p];
-	
-	if ( s$extract_file )
-		{
-		local suffix = fmt("%d.dat", s$num_extracted_files);
-		local fname = generate_extraction_filename(extraction_prefix, c, suffix);
-		s$extraction_file = open(fname);
-		if ( s$passive )
-			set_contents_file(id, CONTENTS_RESP, s$extraction_file);
-		else
-			set_contents_file(id, CONTENTS_ORIG, s$extraction_file);
-		}
+	if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
+	if ( ! info?$mime_type ) return;
+	if ( ! info?$source ) return;
+	if ( info$source != "FTP_DATA" ) return;
+	if ( extract_file_types !in info$mime_type ) return;
+
+	for ( act in info$actions )
+		if ( act$act == FileAnalysis::ACTION_EXTRACT ) return;
+
+	local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, info$file_id,
+	                          extract_count);
+	++extract_count;
+	FileAnalysis::add_action(info$file_id, [$act=FileAnalysis::ACTION_EXTRACT,
+	                                        $extract_filename=fname]);
+	}
+
+hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
+	&priority=5
+	{
+	if ( trig != FileAnalysis::TRIGGER_EOF &&
+	     trig != FileAnalysis::TRIGGER_DONE ) return;
+	if ( ! info?$source ) return;
+	if ( info$source != "FTP_DATA" ) return;
+
+	for ( act in info$actions )
+		if ( act$act == FileAnalysis::ACTION_EXTRACT )
+			{
+			local s: FTP::Info;
+			s$ts = network_time();
+			s$tags = set();
+			s$user = "<ftp-data>";
+			s$extraction_file = act$extract_filename;
+
+			if ( info?$conns )
+				for ( cid in info$conns )
+					{
+					s$uid = info$conns[cid]$uid;
+					s$id = cid;
+					break;
+					}
+
+			Log::write(FTP::LOG, s);
+			}
 	}
 
 event log_ftp(rec: Info) &priority=-10

scripts/base/protocols/ftp/main.bro

@@ -16,7 +16,8 @@ export {
 	
 	## List of commands that should have their command/response pairs logged.
 	const logged_commands = {
-		"APPE", "DELE", "RETR", "STOR", "STOU", "ACCT"
+		"APPE", "DELE", "RETR", "STOR", "STOU", "ACCT", "PORT", "PASV", "EPRT",
+		"EPSV"
 	} &redef;
 	
 	## This setting changes if passwords used in FTP sessions are captured or not.
@@ -24,6 +25,18 @@ export {
 	
 	## User IDs that can be considered "anonymous".
 	const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef;
+
+	## The expected endpoints of an FTP data channel.
+	type ExpectedDataChannel: record {
+		## Whether PASV mode is toggled for control channel.
+		passive: bool &log;
+		## The host that will be initiating the data connection.
+		orig_h: addr &log;
+		## The host that will be accepting the data connection.
+		resp_h: addr &log;
+		## The port at which the acceptor is listening for the data connection.
+		resp_p: port &log;
+	};
 	
 	type Info: record {
 		## Time when the command was sent.
@@ -54,7 +67,10 @@ export {
 		reply_msg:        string      &log &optional;
 		## Arbitrary tags that may indicate a particular attribute of this command.
 		tags:             set[string] &log &default=set();
-		
+
+		## Expected FTP data channel.
+		data_channel:     ExpectedDataChannel &log &optional;
+
 		## Current working directory that this session is in.  By making
 		## the default value '/.', we can indicate that unless something
 		## more concrete is discovered that the existing but unknown
@@ -103,7 +119,7 @@ redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] };
 redef likely_server_ports += { 21/tcp, 2811/tcp };
 
 # Establish the variable for tracking expected connections.
-global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;
+global ftp_data_expected: table[addr, port] of Info &read_expire=5mins;
 
 event bro_init() &priority=5
 	{
@@ -180,7 +196,7 @@ function ftp_message(s: Info)
 			delete s$arg;
 		else
 			s$arg=arg;
-		
+
 		Log::write(FTP::LOG, s);
 		}
 	
@@ -190,8 +206,19 @@ function ftp_message(s: Info)
 	delete s$mime_type;
 	delete s$mime_desc;
 	delete s$file_size;
+	# Same with data channel.
+	delete s$data_channel;
 	# Tags are cleared everytime too.
-	delete s$tags;
+	s$tags = set();
+	}
+
+function add_expected_data_channel(s: Info, chan: ExpectedDataChannel)
+	{
+	s$passive = chan$passive;
+	s$data_channel = chan;
+	ftp_data_expected[chan$resp_h, chan$resp_p] = s;
+	expect_connection(chan$orig_h, chan$resp_h, chan$resp_p, ANALYZER_FTP_DATA,
+	                  5mins);
 	}
 
 event ftp_request(c: connection, command: string, arg: string) &priority=5
@@ -226,10 +253,8 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
 
 		if ( data$valid )
 			{
-			c$ftp$passive=F;
-			ftp_data_expected[data$h, data$p] = c$ftp;
-			expect_connection(id$resp_h, data$h, data$p, ANALYZER_FTP_DATA,
-			                  5mins);
+			add_expected_data_channel(c$ftp, [$passive=F, $orig_h=id$resp_h,
+			                                  $resp_h=data$h, $resp_p=data$p]);
 			}
 		else
 			{
@@ -280,10 +305,9 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 			
 			if ( code == 229 && data$h == [::] )
 				data$h = id$resp_h;
-			
-			ftp_data_expected[data$h, data$p] = c$ftp;
-			expect_connection(id$orig_h, data$h, data$p, ANALYZER_FTP_DATA,
-			                  5mins);
+
+			add_expected_data_channel(c$ftp, [$passive=T, $orig_h=id$orig_h,
+			                          $resp_h=data$h, $resp_p=data$p]);
 			}
 		else
 			{
@@ -333,14 +357,13 @@ event file_transferred(c: connection, prefix: string, descr: string,
 		}
 	}
 	
-event file_transferred(c: connection, prefix: string, descr: string,
-			mime_type: string) &priority=-5
+event connection_state_remove(c: connection) &priority=-5
 	{
 	local id = c$id;
 	if ( [id$resp_h, id$resp_p] in ftp_data_expected )
 		delete ftp_data_expected[id$resp_h, id$resp_p];
 	}
-	
+
 # Use state remove event to cover connections terminated by RST.
 event connection_state_remove(c: connection) &priority=-5
 	{

scripts/base/protocols/smtp/entities.bro

@@ -43,9 +43,6 @@ export {
 	};
 
 	redef record State += {
-		## Store a count of the number of files that have been transferred in
-		## a conversation to create unique file names on disk.
-		num_extracted_files:  count   &default=0;
 		## Track the number of MIME encoded files transferred during a session.
 		mime_level:           count   &default=0;
 	};