Previous: ftp functions, Up: ftp Analyzer



7.16.4 ftp event handlers

The standard script handles the following events:

ftp_request (c: connection, command: string, arg: string)
Invoked upon the client side of connection c having made the request command with the argument arg.

The processing depends on the particular command:

USER
Specifies the username that the client wishes to use for authentication. If it is sensitive—in hot_ids (which the ftp analyzer accesses via a @load of hot-ids)—then the analyzer flags the FTP session as log-worthy. In addition, if the username is in forbidden_ids, then the analyzer terminates the session.

The analyzer also updates the connection's addl field with the username.

PASS
Specifies the password to use for authentication.

If the password is empty and the username appears in forbidden_ids_if_no_password (also from the hot-ids analyzer), then the analyzer terminates the connection.

If the username corresponds to a guest account (ftp_guest_ids), then the analyzer updates the connection's addl field with the password as additional account information. Otherwise, it generates an account_tried event to facilitate detection of password guessing.

PORT
Instructs the FTP server to connect to the given IP address and port for delivery of the next FTP data item. The analyzer first checks the address/port specifier for validity. If valid, it will generate an alert if either the address specified in the directive does not match that of the client, or if the port corresponds to a “privileged” port, i.e., one in the range 0–1023. Finally, it establishes state so that is_ftp_data_conn can identify a subsequent connection corresponding to this directive as belonging to this FTP session.
ACCT
Specifies additional accounting information associated with a session, which the analyzer simply adds to the connection's field.
APPE, CWD, DELE, MKD, RETR, RMD, RNFR, RNTO, STOR, STOU
All of these manipulate files (and directories). The analyzer checks the filename against the policies to see if it is sensitive in the context of the given username (i.e., guest or non-guest), and, if so, marks the connection to generate an alert unless the operation fails. The analyzer also checks for an excessively long filename, currently by checking its length against a Deficiency:hardwired maximum of 250 bytes.

ftp_reply (c: connection, code: count, msg: string, cont_resp: bool)
Invoked upon the server side of connection c having replied to a request using the given status code and text message. cont_resp is true if the reply line is tagged as being continued to the next line. The analyzer only processes requests when the last line of a continued reply is received.

The analyzer checks the reply against any expected for the connection (for example, “log_if_not_denied”) and generates alerts accordingly. If the reply corresponds to a PASV directive, then it parses the address/port specification in the reply and generates alerts in an analogous fashion as done by the ftp_request handler for PORT directives.

Finally, if the reply is not one that the analyzer is hardwired to skip (code 150, used at the beginning of a data transfer, and code 331, used to prompt for a password), then it writes a summary of the request and reply to the FTP log file (See: ftp variables). Also, if the reply is an “orphan” (there was no corresponding request, perhaps because Bro started up after the request was made), then the reply is summarized in the log file by itself.

The standard ftp script defines one other handler, an instance of used to flush FTP session information in case the session terminates abnormally and no reply is seen to the pending request(s).