main.zeek¶

FTP¶

The logging this script does is primarily focused on logging FTP commands along with metadata. For example, if files are transferred, the argument will take on the full path that the client is at along with the requested file name.

Namespace: FTP
Imports: base/frameworks/cluster, base/protocols/conn/removal-hooks.zeek, base/protocols/ftp/info.zeek, base/protocols/ftp/utils-commands.zeek, base/protocols/ftp/utils.zeek, base/utils/addrs.zeek, base/utils/numbers.zeek, base/utils/paths.zeek

Summary¶

Runtime Options¶

`FTP::guest_ids`: `set` `&redef`	User IDs that can be considered “anonymous”.
`FTP::logged_commands`: `set` `&redef`	List of commands that should have their command/response pairs logged.

Types¶

FTP::ReplyCode: record

This record is to hold a parsed FTP reply code.

Redefinitions¶

Log::ID: enum

The FTP protocol logging stream identifier.

FTP::LOG

connection: record

New Fields

connection

ftp: FTP::Info &optional

ftp_data_reuse: bool &default = F &optional

likely_server_ports: set &redef

Events¶

FTP::log_ftp: event

Event that can be handled to access the FTP::Info record as it is sent on to the logging framework.

Hooks¶

`FTP::finalize_ftp`: `Conn::RemovalHook`	FTP finalization hook.
`FTP::finalize_ftp_data`: `hook`	FTP data finalization hook.
`FTP::log_policy`: `Log::PolicyHook`	A default logging policy hook for the stream.

Functions¶

FTP::parse_ftp_reply_code: function

Parse FTP reply codes into the three constituent single digit values.

Detailed Interface¶

Runtime Options¶

FTP::guest_ids¶

Type

set [string]

Attributes

&redef

Default

{
   "guest",
   "anonymous",
   "ftpuser",
   "ftp"
}

User IDs that can be considered “anonymous”.

FTP::logged_commands¶

Type

set [string]

Attributes

&redef

Default

{
   "ACCT",
   "DELE",
   "APPE",
   "RETR",
   "PORT",
   "STOR",
   "EPRT",
   "PASV",
   "STOU",
   "EPSV"
}

List of commands that should have their command/response pairs logged.

Types¶

FTP::ReplyCode¶

Type

record

x: count

y: count

z: count

This record is to hold a parsed FTP reply code. For example, for the 201 status code, the digits would be parsed as: x->2, y->0, z->1.

Events¶

FTP::log_ftp¶

Type: event (rec: FTP::Info)

Event that can be handled to access the FTP::Info record as it is sent on to the logging framework.

Hooks¶

FTP::finalize_ftp¶

Type: Conn::RemovalHook

FTP finalization hook. Remaining FTP info may get logged when it’s called.

FTP::finalize_ftp_data¶

Type: hook (c: connection) : bool

FTP data finalization hook. Expected FTP data channel state may get purged when called.

FTP::log_policy¶

Type: Log::PolicyHook

A default logging policy hook for the stream.

Functions¶

FTP::parse_ftp_reply_code¶

Type: function (code: count) : FTP::ReplyCode

Parse FTP reply codes into the three constituent single digit values.