Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eve/log: FTP logging #3827

Closed
wants to merge 2 commits into from
Closed

eve/log: FTP logging #3827

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1aa8da3
eve: Log FTP transactions
jlucovsky Apr 1, 2019
ce05cb1
Add option for ftp logging to eve-log
jlucovsky Apr 30, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions doc/userguide/output/eve/eve-json-format.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -417,6 +417,72 @@ Example of a old DNS answer with an IPv4 (resource record type 'A') return:
"rdata": "199.16.156.6"
}

Event type: FTP
---------------

Fields
~~~~~~

* "command": The FTP command.
* "command_data": The data accompanying the command.
* "reply": The command reply, which may contain multiple lines, in array format.
* "completion_code": The 3-digit completion code. The first digit indicates whether the response is good, bad or incomplete.
* "dynamic_port": The dynamic port established for subsequent data transfers, when applicable, with a "PORT" or "EPRT" command.
* "mode": The type of FTP connection. Most connections are "passive" but may be "active".

Examples
~~~~~~~~

Example of regular FTP logging:

::

"ftp": {
"command": "RETR",
"command_data": "index.html",
"reply": [
"Opening BINARY mode data connection for index.html (6712 bytes)",
"Transfer complete"
],
"completion_code": "150"
}

Example showing all fields

::

"ftp": {
"command": "EPRT",
"command_data": "|2|2a01:e34:ee97:b130:8c3e:45ea:5ac6:e301|41813|",
"reply": [
"EPRT command successful. Consider using EPSV"
],
"reply_code": "200",
"dynamic_port": 41813,
"mode": "active"
}

Event type: FTP_DATA
--------------------

Fields
~~~~~~

* "command": The FTP command associated with the event.
* "filename": The name of the involved file.

Examples
~~~~~~~~

Example of FTP_DATA logging:

::

"ftp_data": {
"filename": "temp.txt",
"command": "RETR"
}

Event type: TLS
---------------

Expand Down
1 change: 1 addition & 0 deletions src/Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,7 @@ output-json-drop.c output-json-drop.h \
output-json-email-common.c output-json-email-common.h \
output-json-file.c output-json-file.h \
output-json-flow.c output-json-flow.h \
output-json-ftp.c output-json-ftp.h \
output-json-netflow.c output-json-netflow.h \
output-json-http.c output-json-http.h \
output-json-smtp.c output-json-smtp.h \
Expand Down
Loading