base/protocols/ftp/main.zeek

FTP

The logging this script does is primarily focused on logging FTP commands along with metadata. For example, if files are transferred, the argument will take on the full path that the client is at along with the requested file name.

Namespace:

FTP

Imports:

base/frameworks/cluster, base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/protocols/ftp/info.zeek, base/protocols/ftp/utils-commands.zeek, base/protocols/ftp/utils.zeek, base/utils/addrs.zeek, base/utils/numbers.zeek, base/utils/paths.zeek

Summary

Runtime Options

FTP::guest_ids: set &redef

User IDs that can be considered “anonymous”.

FTP::logged_commands: set &redef

List of commands that should have their command/response pairs logged.

FTP::max_arg_length: count &redef

Truncate the arg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_password_length: count &redef

Truncate the password field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

FTP::max_pending_commands: count &redef

Allow a client to send this many commands before the server sends a reply.

FTP::max_reply_msg_length: count &redef

Truncate the reply_msg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_user_length: count &redef

Truncate the user field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

Types

FTP::ReplyCode: record

This record is to hold a parsed FTP reply code.

Redefinitions

Log::ID: enum

The FTP protocol logging stream identifier.

connection: record

New Fields:

connection

ftp: FTP::Info &optional

ftp_data_reuse: bool &default = F &optional

likely_server_ports: set &redef

Events

FTP::log_ftp: event

Event that can be handled to access the FTP::Info record as it is sent on to the logging framework.

Hooks

FTP::finalize_ftp: Conn::RemovalHook

FTP finalization hook.

FTP::finalize_ftp_data: hook

FTP data finalization hook.

FTP::log_policy: Log::PolicyHook

A default logging policy hook for the stream.

Functions

FTP::parse_ftp_reply_code: function

Parse FTP reply codes into the three constituent single digit values.

Detailed Interface

Runtime Options

FTP::guest_ids
Type:

set [string]

Attributes:

&redef

Default:
{
   "guest",
   "anonymous",
   "ftpuser",
   "ftp"
}

User IDs that can be considered “anonymous”.

FTP::logged_commands
Type:

set [string]

Attributes:

&redef

Default:
{
   "ACCT",
   "DELE",
   "APPE",
   "RETR",
   "PORT",
   "STOR",
   "EPRT",
   "PASV",
   "STOU",
   "EPSV"
}

List of commands that should have their command/response pairs logged.

FTP::max_arg_length
Type:

count

Attributes:

&redef

Default:

4096

Truncate the arg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_password_length
Type:

count

Attributes:

&redef

Default:

128

Truncate the password field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

FTP::max_pending_commands
Type:

count

Attributes:

&redef

Default:

20

Allow a client to send this many commands before the server sends a reply. If this value is exceeded a weird named FTP_too_many_pending_commands is logged for the connection.

FTP::max_reply_msg_length
Type:

count

Attributes:

&redef

Default:

4096

Truncate the reply_msg field in the log to that many bytes to avoid excessive logging volume.

FTP::max_user_length
Type:

count

Attributes:

&redef

Default:

128

Truncate the user field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.

Types

FTP::ReplyCode
Type:

record

x: count

y: count

z: count

This record is to hold a parsed FTP reply code. For example, for the 201 status code, the digits would be parsed as: x->2, y->0, z->1.

Events

FTP::log_ftp
Type:

event (rec: FTP::Info)

Event that can be handled to access the FTP::Info record as it is sent on to the logging framework.

Hooks

FTP::finalize_ftp
Type:

Conn::RemovalHook

FTP finalization hook. Remaining FTP info may get logged when it’s called.

FTP::finalize_ftp_data
Type:

hook (c: connection) : bool

FTP data finalization hook. Expected FTP data channel state may get purged when called.

FTP::log_policy
Type:

Log::PolicyHook

A default logging policy hook for the stream.

Functions

FTP::parse_ftp_reply_code
Type:

function (code: count) : FTP::ReplyCode

Parse FTP reply codes into the three constituent single digit values.