base/protocols/ftp/main.zeek¶
- FTP¶
The logging this script does is primarily focused on logging FTP commands along with metadata. For example, if files are transferred, the argument will take on the full path that the client is at along with the requested file name.
- Namespace
FTP
- Imports
base/frameworks/cluster, base/frameworks/notice/weird.zeek, base/protocols/conn/removal-hooks.zeek, base/protocols/ftp/info.zeek, base/protocols/ftp/utils-commands.zeek, base/protocols/ftp/utils.zeek, base/utils/addrs.zeek, base/utils/numbers.zeek, base/utils/paths.zeek
Summary¶
Runtime Options¶
User IDs that can be considered “anonymous”. |
|
List of commands that should have their command/response pairs logged. |
|
Truncate the arg field in the log to that many bytes to avoid excessive logging volume. |
|
Truncate the password field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session. |
|
Allow a client to send this many commands before the server sends a reply. |
|
Truncate the reply_msg field in the log to that many bytes to avoid excessive logging volume. |
|
Truncate the user field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session. |
Types¶
This record is to hold a parsed FTP reply code. |
Redefinitions¶
The FTP protocol logging stream identifier. |
|
Events¶
Event that can be handled to access the |
Hooks¶
FTP finalization hook. |
|
FTP data finalization hook. |
|
A default logging policy hook for the stream. |
Functions¶
Parse FTP reply codes into the three constituent single digit values. |
Detailed Interface¶
Runtime Options¶
- FTP::guest_ids¶
-
User IDs that can be considered “anonymous”.
- FTP::logged_commands¶
- Type
- Attributes
- Default
{ "ACCT", "DELE", "APPE", "RETR", "PORT", "STOR", "EPRT", "PASV", "STOU", "EPSV" }
List of commands that should have their command/response pairs logged.
- FTP::max_arg_length¶
-
Truncate the arg field in the log to that many bytes to avoid excessive logging volume.
- FTP::max_password_length¶
-
Truncate the password field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.
- FTP::max_pending_commands¶
-
Allow a client to send this many commands before the server sends a reply. If this value is exceeded a weird named FTP_too_many_pending_commands is logged for the connection.
- FTP::max_reply_msg_length¶
-
Truncate the reply_msg field in the log to that many bytes to avoid excessive logging volume.
- FTP::max_user_length¶
-
Truncate the user field in the log to that many bytes to avoid excessive logging volume as this values is replicated in each of the entries related to an FTP session.
Types¶
Events¶
- FTP::log_ftp¶
-
Event that can be handled to access the
FTP::Info
record as it is sent on to the logging framework.
Hooks¶
- FTP::finalize_ftp¶
- Type
FTP finalization hook. Remaining FTP info may get logged when it’s called.
- FTP::finalize_ftp_data¶
- Type
hook
(c:connection
) :bool
FTP data finalization hook. Expected FTP data channel state may get purged when called.
- FTP::log_policy¶
- Type
A default logging policy hook for the stream.
Functions¶
- FTP::parse_ftp_reply_code¶
- Type
function
(code:count
) :FTP::ReplyCode
Parse FTP reply codes into the three constituent single digit values.