Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

FileAnalysis: replace script-layer FTP file analysis.

Browse source 
The notable difference here is that ftp.log now logs by default
the PORT, PASV, EPRT, EPSV commands as well as a separate line for
ftp-data channels in which file extraction was requested.

This difference isn't a direct result of now doing the file extraction
through the file analysis framework, it's just because I noticed even
the old way of tracking extracted-file name didn't work right and this
was the way I came up with so that a locally extracted file can be
associated with a data channel and then that data channel associated
with a control channel.
This commit is contained in:
Jon Siwek 2013-03-27 12:59:38 -05:00
parent 621fe51c82
commit 7e895a3a2f
13 changed files with 227 additions and 67 deletions
Download patch file Download diff file Expand all files Collapse all files

26
scripts/base/protocols/ftp/file-analysis.bro
View file

@ -14,9 +14,29 @@ export {
## Default file handle provider for FTP. ## Default file handle provider for FTP.
function get_file_handle(c: connection, is_orig: bool): string function get_file_handle(c: connection, is_orig: bool): string
{ {
if ( is_orig ) return ""; if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected ) return "";
return fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time,
id_string(c$id)); local info: FTP::Info = ftp_data_expected[c$id$resp_h, c$id$resp_p];
local rval = fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time,
id_string(c$id));
if ( info$passive )
# FTP client initiates data channel.
if ( is_orig )
# Don't care about FTP client data.
return "";
else
# Do care about FTP server data.
return rval;
else
# FTP server initiates dta channel.
if ( is_orig )
# Do care about FTP server data.
return rval;
else
# Don't care about FTP client data.
return "";
} }
} }

102
scripts/base/protocols/ftp/file-extract.bro
View file

@ -13,54 +13,96 @@ export {
const extraction_prefix = "ftp-item" &redef; const extraction_prefix = "ftp-item" &redef;
} }
global extract_count: count = 0;
redef record Info += { redef record Info += {
## On disk file where it was extracted to. ## On disk file where it was extracted to.
extraction_file: file &log &optional; extraction_file: string &log &optional;
## Indicates if the current command/response pair should attempt to ## Indicates if the current command/response pair should attempt to
## extract the file if a file was transferred. ## extract the file if a file was transferred.
extract_file: bool &default=F; extract_file: bool &default=F;
## Internal tracking of the total number of files extracted during this
## session.
num_extracted_files: count &default=0;
}; };
event file_transferred(c: connection, prefix: string, descr: string, hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
mime_type: string) &priority=3 &priority=5
{ {
local id = c$id; if ( trig != FileAnalysis::TRIGGER_NEW ) return;
if ( [id$resp_h, id$resp_p] !in ftp_data_expected ) if ( ! info?$source ) return;
return; if ( info$source != "FTP_DATA" ) return;
if ( ! info?$conns ) return;
local s = ftp_data_expected[id$resp_h, id$resp_p]; local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, info$file_id,
extract_count);
local extracting: bool = F;
if ( extract_file_types in s$mime_type ) for ( cid in info$conns )
{ {
s$extract_file = T; local c: connection = info$conns[cid];
++s$num_extracted_files;
if ( [cid$resp_h, cid$resp_p] !in ftp_data_expected ) next;
local s = ftp_data_expected[cid$resp_h, cid$resp_p];
if ( ! s$extract_file ) next;
if ( ! extracting )
{
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=fname]);
extracting = T;
++extract_count;
}
} }
} }
event file_transferred(c: connection, prefix: string, descr: string, hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
mime_type: string) &priority=-4 &priority=5
{ {
local id = c$id; if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
if ( [id$resp_h, id$resp_p] !in ftp_data_expected ) if ( ! info?$mime_type ) return;
return; if ( ! info?$source ) return;
if ( info$source != "FTP_DATA" ) return;
if ( extract_file_types !in info$mime_type ) return;
local s = ftp_data_expected[id$resp_h, id$resp_p]; for ( act in info$actions )
if ( act$act == FileAnalysis::ACTION_EXTRACT ) return;
if ( s$extract_file ) local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, info$file_id,
{ extract_count);
local suffix = fmt("%d.dat", s$num_extracted_files); ++extract_count;
local fname = generate_extraction_filename(extraction_prefix, c, suffix); FileAnalysis::add_action(info$file_id, [$act=FileAnalysis::ACTION_EXTRACT,
s$extraction_file = open(fname); $extract_filename=fname]);
if ( s$passive ) }
set_contents_file(id, CONTENTS_RESP, s$extraction_file);
else hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
set_contents_file(id, CONTENTS_ORIG, s$extraction_file); &priority=5
} {
if ( trig != FileAnalysis::TRIGGER_EOF &&
trig != FileAnalysis::TRIGGER_DONE ) return;
if ( ! info?$source ) return;
if ( info$source != "FTP_DATA" ) return;
for ( act in info$actions )
if ( act$act == FileAnalysis::ACTION_EXTRACT )
{
local s: FTP::Info;
s$ts = network_time();
s$tags = set();
s$user = "<ftp-data>";
s$extraction_file = act$extract_filename;
if ( info?$conns )
for ( cid in info$conns )
{
s$uid = info$conns[cid]$uid;
s$id = cid;
break;
}
Log::write(FTP::LOG, s);
}
} }
event log_ftp(rec: Info) &priority=-10 event log_ftp(rec: Info) &priority=-10

47
scripts/base/protocols/ftp/main.bro
View file

@ -16,7 +16,8 @@ export {
## List of commands that should have their command/response pairs logged. ## List of commands that should have their command/response pairs logged.
const logged_commands = { const logged_commands = {
"APPE", "DELE", "RETR", "STOR", "STOU", "ACCT" "APPE", "DELE", "RETR", "STOR", "STOU", "ACCT", "PORT", "PASV", "EPRT",
"EPSV"
} &redef; } &redef;
## This setting changes if passwords used in FTP sessions are captured or not. ## This setting changes if passwords used in FTP sessions are captured or not.
@ -25,6 +26,18 @@ export {
## User IDs that can be considered "anonymous". ## User IDs that can be considered "anonymous".
const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef; const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef;
## The expected endpoints of an FTP data channel.
type ExpectedDataChannel: record {
## Whether PASV mode is toggled for control channel.
passive: bool &log;
## The host that will be initiating the data connection.
orig_h: addr &log;
## The host that will be accepting the data connection.
resp_h: addr &log;
## The port at which the acceptor is listening for the data connection.
resp_p: port &log;
};
type Info: record { type Info: record {
## Time when the command was sent. ## Time when the command was sent.
ts: time &log; ts: time &log;
@ -55,6 +68,9 @@ export {
## Arbitrary tags that may indicate a particular attribute of this command. ## Arbitrary tags that may indicate a particular attribute of this command.
tags: set[string] &log &default=set(); tags: set[string] &log &default=set();
## Expected FTP data channel.
data_channel: ExpectedDataChannel &log &optional;
## Current working directory that this session is in. By making ## Current working directory that this session is in. By making
## the default value '/.', we can indicate that unless something ## the default value '/.', we can indicate that unless something
## more concrete is discovered that the existing but unknown ## more concrete is discovered that the existing but unknown
@ -103,7 +119,7 @@ redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] };
redef likely_server_ports += { 21/tcp, 2811/tcp }; redef likely_server_ports += { 21/tcp, 2811/tcp };
# Establish the variable for tracking expected connections. # Establish the variable for tracking expected connections.
global ftp_data_expected: table[addr, port] of Info &create_expire=5mins; global ftp_data_expected: table[addr, port] of Info &read_expire=5mins;
event bro_init() &priority=5 event bro_init() &priority=5
{ {
@ -190,8 +206,19 @@ function ftp_message(s: Info)
delete s$mime_type; delete s$mime_type;
delete s$mime_desc; delete s$mime_desc;
delete s$file_size; delete s$file_size;
# Same with data channel.
delete s$data_channel;
# Tags are cleared everytime too. # Tags are cleared everytime too.
delete s$tags; s$tags = set();
}
function add_expected_data_channel(s: Info, chan: ExpectedDataChannel)
{
s$passive = chan$passive;
s$data_channel = chan;
ftp_data_expected[chan$resp_h, chan$resp_p] = s;
expect_connection(chan$orig_h, chan$resp_h, chan$resp_p, ANALYZER_FTP_DATA,
5mins);
} }
event ftp_request(c: connection, command: string, arg: string) &priority=5 event ftp_request(c: connection, command: string, arg: string) &priority=5
@ -226,10 +253,8 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
if ( data$valid ) if ( data$valid )
{ {
c$ftp$passive=F; add_expected_data_channel(c$ftp, [$passive=F, $orig_h=id$resp_h,
ftp_data_expected[data$h, data$p] = c$ftp; $resp_h=data$h, $resp_p=data$p]);
expect_connection(id$resp_h, data$h, data$p, ANALYZER_FTP_DATA,
5mins);
} }
else else
{ {
@ -281,9 +306,8 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
if ( code == 229 && data$h == [::] ) if ( code == 229 && data$h == [::] )
data$h = id$resp_h; data$h = id$resp_h;
ftp_data_expected[data$h, data$p] = c$ftp; add_expected_data_channel(c$ftp, [$passive=T, $orig_h=id$orig_h,
expect_connection(id$orig_h, data$h, data$p, ANALYZER_FTP_DATA, $resp_h=data$h, $resp_p=data$p]);
5mins);
} }
else else
{ {
@ -333,8 +357,7 @@ event file_transferred(c: connection, prefix: string, descr: string,
} }
} }
event file_transferred(c: connection, prefix: string, descr: string, event connection_state_remove(c: connection) &priority=-5
mime_type: string) &priority=-5
{ {
local id = c$id; local id = c$id;
if ( [id$resp_h, id$resp_p] in ftp_data_expected ) if ( [id$resp_h, id$resp_p] in ftp_data_expected )

3
scripts/base/protocols/smtp/entities.bro
View file

@ -43,9 +43,6 @@ export {
}; };
redef record State += { redef record State += {
## Store a count of the number of files that have been transferred in
## a conversation to create unique file names on disk.
num_extracted_files: count &default=0;
## Track the number of MIME encoded files transferred during a session. ## Track the number of MIME encoded files transferred during a session.
mime_level: count &default=0; mime_level: count &default=0;
}; };

14
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/conn.log Normal file
View file

@ -0,0 +1,14 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2013-03-27-17-47-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count table[string]
1329843175.736107 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 tcp ftp-data 0.112432 0 342 SF - 0 ShAdfFa 4 216 4 562 (empty)
1329843179.871641 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 tcp ftp-data 0.111218 0 77 SF - 0 ShAdfFa 4 216 4 297 (empty)
1329843194.151526 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 tcp ftp-data 0.056211 342 0 SF - 0 ShADaFf 5 614 3 164 (empty)
1329843197.783443 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 tcp ftp-data 0.056005 77 0 SF - 0 ShADaFf 5 349 3 164 (empty)
1329843161.968492 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 tcp ftp 38.055625 180 3146 SF - 0 ShAdDfFa 38 2164 25 4458 (empty)
#close 2013-03-27-17-47-03

5
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat Normal file
View file

@ -0,0 +1,5 @@
User-agent: *
Disallow: *.tgz
Disallow: *.gz
Disallow: *.tbz
Disallow: *.bz2

6
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat Normal file
View file

@ -0,0 +1,6 @@
total 98028
lrwxrwxr-x 1 root wheel 32 Aug 16 2009 .message -> pub/NetBSD/README.export-control
drwxr-x--x 3 root wheel 512 Aug 16 2009 etc
-rw-rw-r-- 1 600 netbsd 50158695 Feb 21 03:10 ls-lRA.gz
drwxr-xr-x 7 root wheel 512 Aug 20 2009 pub
-rw-rw-r-- 1 root wheel 77 Aug 16 2009 robots.txt

6
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat Normal file
View file

@ -0,0 +1,6 @@
total 98028
lrwxrwxr-x 1 root wheel 32 Aug 16 2009 .message -> pub/NetBSD/README.export-control
drwxr-x--x 3 root wheel 512 Aug 16 2009 etc
-rw-rw-r-- 1 600 netbsd 50158695 Feb 21 03:10 ls-lRA.gz
drwxr-xr-x 7 root wheel 512 Aug 20 2009 pub
-rw-rw-r-- 1 root wheel 77 Aug 16 2009 robots.txt

5
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat Normal file
View file

@ -0,0 +1,5 @@
User-agent: *
Disallow: *.tgz
Disallow: *.gz
Disallow: *.tbz
Disallow: *.bz2

21
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log Normal file
View file

@ -0,0 +1,21 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ftp
#open 2013-03-27-17-47-03
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p extraction_file
#types time string addr port addr port string string string string string string count count string table[string] bool addr addr port string
1329843175.680248 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - - 227 Entering Passive Mode (199,233,217,249,221,90) (empty) T 141.142.220.235 199.233.217.249 56666 -
1329843175.791528 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - - 226 Transfer complete. (empty) - - - - -
1329843179.815947 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - - 227 Entering Passive Mode (199,233,217,249,221,91) (empty) T 141.142.220.235 199.233.217.249 56667 -
1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 <ftp-data> - - - - - - - - (empty) - - - - ftp-item-Rqjkzoroau4-0.dat
1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 <ftp-data> - - - - - - - - (empty) - - - - ftp-item-BTsa70Ua9x7-1.dat
1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text 77 226 Transfer complete. (empty) - - - - -
1329843194.040188 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,131,46 - - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 33582 -
1329843194.095782 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - - 226 Transfer complete. (empty) - - - - -
1329843197.672179 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,147,203 - - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 37835 -
1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 <ftp-data> - - - - - - - - (empty) - - - - ftp-item-VLQvJybrm38-2.dat
1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text, with CRLF line terminators 77 226 Transfer complete. (empty) - - - - -
1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 <ftp-data> - - - - - - - - (empty) - - - - ftp-item-zrfwSs9K1yk-3.dat
#close 2013-03-27-17-47-03

16
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/ftp.log
View file

@ -3,9 +3,13 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ftp #path ftp
#open 2012-02-21-16-53-13 #open 2013-03-27-17-47-22
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags extraction_file #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p extraction_file
#types time string addr port addr port string string string string string string count count string table[string] file #types time string addr port addr port string string string string string string count count string table[string] bool addr addr port string
1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text 77 226 Transfer complete. - - 1329843175.680248 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - - 227 Entering Passive Mode (199,233,217,249,221,90) (empty) T 141.142.220.235 199.233.217.249 56666 -
1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text, with CRLF line terminators 77 226 Transfer complete. - - 1329843179.815947 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - - 227 Entering Passive Mode (199,233,217,249,221,91) (empty) T 141.142.220.235 199.233.217.249 56667 -
#close 2012-02-21-16-53-20 1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text 77 226 Transfer complete. (empty) - - - - -
1329843194.040188 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,131,46 - - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 33582 -
1329843197.672179 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,147,203 - - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 37835 -
1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain ASCII text, with CRLF line terminators 77 226 Transfer complete. (empty) - - - - -
#close 2013-03-27-17-47-22

17
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/ftp.log
View file

@ -3,9 +3,14 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ftp #path ftp
#open 2012-02-15-17-43-07 #open 2013-03-27-17-50-35
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags extraction_file #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type mime_desc file_size reply_code reply_msg tags data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p extraction_file
#types time string addr port addr port string string string string string string count count string table[string] file #types time string addr port addr port string string string string string string count count string table[string] bool addr addr port string
1329327787.396984 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://[2001:470:4867:99::21]/robots.txt - - 77 226 Transfer complete. - - 1329327783.207785 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test EPSV - - - - 229 Entering Extended Passive Mode (|||57086|) (empty) T 2001:470:1f11:81f:c999:d94:aa7c:2e3e 2001:470:4867:99::21 57086 -
1329327795.463946 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://[2001:470:4867:99::21]/robots.txt - - 77 226 Transfer complete. - - 1329327786.415755 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test EPSV - - - - 229 Entering Extended Passive Mode (|||57087|) (empty) T 2001:470:1f11:81f:c999:d94:aa7c:2e3e 2001:470:4867:99::21 57087 -
#close 2012-02-15-17-43-24 1329327787.180814 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test EPSV - - - - 229 Entering Extended Passive Mode (|||57088|) (empty) T 2001:470:1f11:81f:c999:d94:aa7c:2e3e 2001:470:4867:99::21 57088 -
1329327787.396984 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://[2001:470:4867:99::21]/robots.txt - - 77 226 Transfer complete. (empty) - - - - -
1329327795.355248 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test EPRT |2|2001:470:1f11:81f:c999:d94:aa7c:2e3e|49189| - - - 200 EPRT command successful. (empty) F 2001:470:4867:99::21 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49189 -
1329327795.463946 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test RETR ftp://[2001:470:4867:99::21]/robots.txt - - 77 226 Transfer complete. (empty) - - - - -
1329327799.799327 UWkUyAuUGXf 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49185 2001:470:4867:99::21 21 anonymous test EPRT |2|2001:470:1f11:81f:c999:d94:aa7c:2e3e|49190| - - - 200 EPRT command successful. (empty) F 2001:470:4867:99::21 2001:470:1f11:81f:c999:d94:aa7c:2e3e 49190 -
#close 2013-03-27-17-50-35

12
testing/btest/scripts/base/protocols/ftp/ftp-extract.bro Normal file
View file

@ -0,0 +1,12 @@
# This tests FTP file extraction.
#
# @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff ftp.log
# @TEST-EXEC: btest-diff ftp-item-Rqjkzoroau4-0.dat
# @TEST-EXEC: btest-diff ftp-item-BTsa70Ua9x7-1.dat
# @TEST-EXEC: btest-diff ftp-item-VLQvJybrm38-2.dat
# @TEST-EXEC: btest-diff ftp-item-zrfwSs9K1yk-3.dat
redef FTP::logged_commands += {"LIST"};
redef FTP::extract_file_types=/.*/;