Next: , Previous: fingerbro, Up: Predefined Variables



6.1.12 ftp.bro

ftp_log : file
The file into which FTP-related alerts are written.

ftp_sessions : table[conn_id] of ftp_session_info

ftp_guest_ids : set[string]

The set of login IDs which are guest logins, e.g., “anonymous” and “ftp”.
Note: This variable is const, so may only be changed via redef.

ftp_skip_hot : set[addr, addr, string]

Indexed by source and destination addresses and the id, these connections are not marked as “hot” even if its data would to cause it to be otherwise.
Note: This variable is const, so may only be changed via redef.

ftp_hot_files : pattern

If a filename matching this pattern is requested, the ftp_sensitive_files event is generated. The default behavior is to log the connection.
Note: This variable is const, so may only be changed via redef.

ftp_hot_guest_files : pattern

If a user is logged in under a guest ID and attempts to retrieve a file matching this pattern, the ftp_sensitive event is generated. The default behavior is to log the connection.
Note: This variable is const, so may only be changed via redef.

ftp_hot_cmds : table[string] of pattern

If an FTP command matches an index into the table and its argument matches the associated pattern, the connection is logged.
Note: This variable is const, so may only be changed via redef.

skip_unexpected : set[addr]

Pairs of IP addresses for which we shouldn't bother logging if one of them is used in lieu of the other in a PORT or PASV directive.

skip_unexpected_net : set[addr]

Similar to skip_unexpected, but matches a /24 subnet.

ftp_data_expected : table[addr, port] of addr

Indexed by the server's responder pair, yields the address expected to make an FTP data connection to it.

ftp_data_expected_session : table[addr, port] of ftp_session_info

Indexed by the server's responder pair, yields the associated ftp_session_info record for the expected incoming FTP data connection.

ftp_excessive_filename_len : count

If an FTP request filename meets or exceeds this length, an FTP_ExcessiveFilename alert is generated.

ftp_excessive_filename_trunc_len : count

How much of the excessively long filename is printed in the alert message.

ftp_ignore_invalid_PORT : pattern

Invalid PORT/PASV directives that exactly match this pattern don't generate alerts.

ftp_ignore_privileged_PASVs : set[port]

If an FTP PASV port is specified to be a privileged port (< 1024/tcp) then an FTP_PrivPort event is generated, EXCEPT if the port is in this set.