base/protocols/ftp/main.zeek
- FTP
The logging this script does is primarily focused on logging FTP commands along with metadata. For example, if files are transferred, the argument will take on the full path that the client is at along with the requested file name.
- Namespace
FTP
- Imports
base/frameworks/cluster, base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/protocols/ftp/info.zeek, base/protocols/ftp/utils-commands.zeek, base/protocols/ftp/utils.zeek, base/utils/addrs.zeek, base/utils/numbers.zeek, base/utils/paths.zeek
Summary
Runtime Options
User IDs that can be considered “anonymous”. |
|
List of commands that should have their command/response pairs logged. |
|
Truncate the arg field in the log to that many bytes to avoid excessive logging volume. |
|
Truncate the password field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session. |
|
Allow a client to send this many commands before the server sends a reply. |
|
Truncate the reply_msg field in the log to that many bytes to avoid excessive logging volume. |
|
Truncate the user field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session. |
Types
This record is to hold a parsed FTP reply code. |
Redefinitions
The FTP protocol logging stream identifier. |
|
Events
Event that can be handled to access the |
Hooks
FTP finalization hook. |
|
FTP data finalization hook. |
|
A default logging policy hook for the stream. |
Functions
Parse FTP reply codes into the three constituent single digit values. |
Detailed Interface
Runtime Options
- FTP::guest_ids
-
User IDs that can be considered “anonymous”.
- FTP::logged_commands
- Type
- Attributes
- Default
{ "ACCT", "DELE", "APPE", "RETR", "PORT", "STOR", "EPRT", "PASV", "STOU", "EPSV" }
List of commands that should have their command/response pairs logged.
- FTP::max_arg_length
-
Truncate the arg field in the log to that many bytes to avoid excessive logging volume.
- FTP::max_password_length
-
Truncate the password field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.
- FTP::max_pending_commands
-
Allow a client to send this many commands before the server sends a reply. If this value is exceeded a weird named FTP_too_many_pending_commands is logged for the connection.
- FTP::max_reply_msg_length
-
Truncate the reply_msg field in the log to that many bytes to avoid excessive logging volume.
- FTP::max_user_length
-
Truncate the user field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.
Types
Events
- FTP::log_ftp
-
Event that can be handled to access the
FTP::Info
record as it is sent on to the logging framework.
Hooks
- FTP::finalize_ftp
- Type
FTP finalization hook. Remaining FTP info may get logged when it’s called.
- FTP::finalize_ftp_data
- Type
hook
(c:connection
) :bool
FTP data finalization hook. Expected FTP data channel state may get purged when called.
- FTP::log_policy
- Type
A default logging policy hook for the stream.
Functions
- FTP::parse_ftp_reply_code
- Type
function
(code:count
) :FTP::ReplyCode
Parse FTP reply codes into the three constituent single digit values.