base/protocols/ftp/main.zeek

FTP

The logging this script does is primarily focused on logging FTP commands along with metadata. For example, if files are transferred, the argument will take on the full path that the client is at along with the requested file name.

Namespace

FTP

Imports

base/frameworks/cluster, base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/protocols/ftp/info.zeek, base/protocols/ftp/utils-commands.zeek, base/protocols/ftp/utils.zeek, base/utils/addrs.zeek, base/utils/numbers.zeek, base/utils/paths.zeek

Summary

Runtime Options

FTP::guest_ids: set &redef

User IDs that can be considered “anonymous”.

FTP::logged_commands: set &redef

List of commands that should have their command/response pairs logged.

FTP::max_arg_length: count &redef

Truncate the arg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_password_length: count &redef

Truncate the password field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

FTP::max_pending_commands: count &redef

Allow a client to send this many commands before the server sends a reply.

FTP::max_reply_msg_length: count &redef

Truncate the reply_msg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_user_length: count &redef

Truncate the user field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

Types

FTP::ReplyCode: record

This record is to hold a parsed FTP reply code.

Redefinitions

Log::ID: enum

The FTP protocol logging stream identifier.

connection: record

New Fields

connection

ftp: FTP::Info &optional

ftp_data_reuse: bool &default = F &optional

likely_server_ports: set &redef

Events

FTP::log_ftp: event

Event that can be handled to access the FTP::Info record as it is sent on to the logging framework.

Hooks

FTP::finalize_ftp: Conn::RemovalHook

FTP finalization hook.

FTP::finalize_ftp_data: hook

FTP data finalization hook.

FTP::log_policy: Log::PolicyHook

A default logging policy hook for the stream.

Functions

FTP::parse_ftp_reply_code: function

Parse FTP reply codes into the three constituent single digit values.

Detailed Interface

Runtime Options

FTP::guest_ids
Type

set [string]

Attributes

&redef

Default
{
   "guest",
   "anonymous",
   "ftpuser",
   "ftp"
}

User IDs that can be considered “anonymous”.

FTP::logged_commands
Type

set [string]

Attributes

&redef

Default
{
   "ACCT",
   "DELE",
   "APPE",
   "RETR",
   "PORT",
   "STOR",
   "EPRT",
   "PASV",
   "STOU",
   "EPSV"
}

List of commands that should have their command/response pairs logged.

FTP::max_arg_length
Type

count

Attributes

&redef

Default

4096

Truncate the arg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_password_length
Type

count

Attributes

&redef

Default

128

Truncate the password field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

FTP::max_pending_commands
Type

count

Attributes

&redef

Default

20

Allow a client to send this many commands before the server sends a reply. If this value is exceeded a weird named FTP_too_many_pending_commands is logged for the connection.

FTP::max_reply_msg_length
Type

count

Attributes

&redef

Default

4096

Truncate the reply_msg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_user_length
Type

count

Attributes

&redef

Default

128

Truncate the user field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

Types

FTP::ReplyCode
Type

record

x: count

y: count

z: count

This record is to hold a parsed FTP reply code. For example, for the 201 status code, the digits would be parsed as: x->2, y->0, z->1.

Events

FTP::log_ftp
Type

event (rec: FTP::Info)

Event that can be handled to access the FTP::Info record as it is sent on to the logging framework.

Hooks

FTP::finalize_ftp
Type

Conn::RemovalHook

FTP finalization hook. Remaining FTP info may get logged when it’s called.

FTP::finalize_ftp_data
Type

hook (c: connection) : bool

FTP data finalization hook. Expected FTP data channel state may get purged when called.

FTP::log_policy
Type

Log::PolicyHook

A default logging policy hook for the stream.

Functions

FTP::parse_ftp_reply_code
Type

function (code: count) : FTP::ReplyCode

Parse FTP reply codes into the three constituent single digit values.