Next: , Previous: hot-ids Module, Up: Analyzers and Events



7.16 The ftp Analyzer

The ftp analyzer processes traffic associated with the FTP file transfer service RFC-959. Bro instantiates an ftp analyzer for any connection with service port 21/tcp, providing you have loaded the ftp analyzer, or defined a handler for ftp_request or ftp_reply.

The analyzer uses a capture filter of “port ftp” (See: Filtering). It generates summaries of FTP sessions; looks for sensitive usernames, access to sensitive files, and possible FTP “bounce” attacks, in which the host specified in a “PORT” or “PASV” directive does not correspond to the host sending the directive; or in which a different host than the server (client) connects to the endpoint specified in a PORT (PASV) directive.