From 18f84275793e3eb50f0fb23c9978621cddac4117 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 17 Oct 2012 12:09:12 -0500 Subject: [PATCH] Change how "gridftp" gets added to service field of connection records. In addition to checking for a finished SSL handshake over an FTP connection, it now also requires that the SSL handshake occurs after the FTP client requested AUTH GSSAPI, more specifically identifying the characteristics of GridFTP control channels. Addresses #891. --- scripts/base/protocols/ftp/gridftp.bro | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/scripts/base/protocols/ftp/gridftp.bro b/scripts/base/protocols/ftp/gridftp.bro index 7413fa24c6..57752b1cbd 100644 --- a/scripts/base/protocols/ftp/gridftp.bro +++ b/scripts/base/protocols/ftp/gridftp.bro @@ -68,6 +68,16 @@ export { const data_channel_initial_criteria: function(c: connection): bool &redef; } +redef record FTP::Info += { + last_auth_requested: string &optional; +}; + +event ftp_request(c: connection, command: string, arg: string) &priority=4 + { + if ( command == "AUTH" && c?$ftp ) + c$ftp$last_auth_requested = arg; + } + function size_callback(c: connection, cnt: count): interval { if ( c$orig$size > size_threshold || c$resp$size > size_threshold ) @@ -89,8 +99,10 @@ function size_callback(c: connection, cnt: count): interval event ssl_established(c: connection) &priority=5 { - # Add service label to control channels. - if ( "FTP" in c$service ) + # If an FTP client requests AUTH GSSAPI and later an SSL handshake + # finishes, it's likely a GridFTP control channel, so add service label. + if ( c?$ftp && c$ftp?$last_auth_requested && + /GSSAPI/ in c$ftp$last_auth_requested ) add c$service["gridftp"]; }