:orphan:

Package: base/protocols/ftp
===========================

Support for File Transfer Protocol (FTP) analysis.

:doc:`/scripts/base/protocols/ftp/__load__.bro`


:doc:`/scripts/base/protocols/ftp/utils-commands.bro`


:doc:`/scripts/base/protocols/ftp/info.bro`

   Defines data structures for tracking and logging FTP sessions.

:doc:`/scripts/base/protocols/ftp/main.bro`

   The logging this script does is primarily focused on logging FTP commands
   along with metadata.  For example, if files are transferred, the argument
   will take on the full path that the client is at along with the requested
   file name.

:doc:`/scripts/base/protocols/ftp/utils.bro`

   Utilities specific for FTP processing.

:doc:`/scripts/base/protocols/ftp/files.bro`


:doc:`/scripts/base/protocols/ftp/gridftp.bro`

   A detection script for GridFTP data and control channels.
   
   GridFTP control channels are identified by FTP control channels
   that successfully negotiate the GSSAPI method of an AUTH request
   and for which the exchange involved an encoded TLS/SSL handshake,
   indicating the GSI mechanism for GSSAPI was used.  This analysis
   is all supported internally, this script simply adds the "gridftp"
   label to the *service* field of the control channel's
   :bro:type:`connection` record.
   
   GridFTP data channels are identified by a heuristic that relies on
   the fact that default settings for GridFTP clients typically
   mutually authenticate the data channel with TLS/SSL and negotiate a
   NULL bulk cipher (no encryption).  Connections with those
   attributes are then polled for two minutes with decreasing frequency
   to check if the transfer sizes are large enough to indicate a
   GridFTP data channel that would be undesirable to analyze further
   (e.g. stop TCP reassembly).  A side effect is that true connection
   sizes are not logged, but at the benefit of saving CPU cycles that
   would otherwise go to analyzing the large (and likely benign) connections.

