aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

eve/ftp: Log initial responses

Browse Source 
This changeset ensures that unknown commands are logged.
Unknown commands are either
- Banner responses when connecting to the FTP port
- Commands not includes in the FtpCommands descriptor table
pull/4046/head
Jeff Lucovsky 6 years ago committed by Victor Julien
parent a66383569c
commit a04b1c1664
2 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File

18
src/app-layer-ftp.c
Unescape Escape View File

@ -481,7 +481,7 @@ static uint32_t CopyCommandLine(uint8_t **dest, uint8_t *src, uint32_t length)
/* Remove trailing newlines/carriage returns */ /* Remove trailing newlines/carriage returns */
if (isspace((unsigned char)where[length - 1])) { if (isspace((unsigned char)where[length - 1])) {
while(length && isspace((unsigned char)where[--length])); while(length && isspace((unsigned char)where[--length - 1]));
where[length] = '\0'; where[length] = '\0';
} }
*dest = where; *dest = where;
@ -751,12 +751,26 @@ static int FTPParseResponse(Flow *f, void *ftp_state, AppLayerParserState *pstat
{ {
FtpState *state = (FtpState *)ftp_state; FtpState *state = (FtpState *)ftp_state;
int retcode = 1; int retcode = 1;
FTPTransaction *tx;
if (state->command == FTP_COMMAND_UNKNOWN) { if (state->command == FTP_COMMAND_UNKNOWN) {
if (unlikely(input_len == 0)) {
return 1; return 1;
} }
FTPTransaction *tx = FTPGetOldestTx(state); tx = FTPGetOldestTx(state);
if (tx == NULL) {
tx = FTPTransactionCreate(state);
}
if (unlikely(tx == NULL)) {
return -1;
}
/* unknown */
tx->command_descriptor = &FtpCommands[FTP_COMMAND_MAX -1];
} else {
tx = FTPGetOldestTx(state);
}
state->curr_tx = tx; state->curr_tx = tx;
if (state->command == FTP_COMMAND_AUTH_TLS) { if (state->command == FTP_COMMAND_AUTH_TLS) {
if (input_len >= 4 && SCMemcmp("234 ", input, 4) == 0) { if (input_len >= 4 && SCMemcmp("234 ", input, 4) == 0) {

13
src/output-json-ftp.c
Unescape Escape View File

@ -66,20 +66,21 @@ static void JsonFTPLogJSON(json_t *tjs, Flow *f, FTPTransaction *tx)
json_t *cjs = NULL; json_t *cjs = NULL;
if (f->alproto == ALPROTO_FTPDATA) { if (f->alproto == ALPROTO_FTPDATA) {
cjs = JsonFTPDataAddMetadata(f); cjs = JsonFTPDataAddMetadata(f);
} else if (tx->command_descriptor->command != FTP_COMMAND_UNKNOWN) { } else {
cjs = json_object(); cjs = json_object();
if (cjs) { if (cjs) {
FTPString *response; json_object_set_new(cjs, "command",
json_object_set_new(cjs, "command", json_string(tx->command_descriptor->command_name_upper)); json_string(tx->command_descriptor->command_name_upper));
uint32_t min_length = tx->command_descriptor->command_length + 1; /* command + space */ uint32_t min_length = tx->command_descriptor->command_length + 1; /* command + space */
if (tx->request_length >= min_length) {
json_object_set_new(cjs, "command_data", json_object_set_new(cjs, "command_data",
tx->request_length >= min_length ?
JsonAddStringN((const char *)tx->request + min_length, JsonAddStringN((const char *)tx->request + min_length,
tx->request_length - min_length)); tx->request_length - min_length) :
} json_string(NULL));
if (!TAILQ_EMPTY(&tx->response_list)) { if (!TAILQ_EMPTY(&tx->response_list)) {
json_t *js_resplist = json_array(); json_t *js_resplist = json_array();
if (likely(js_resplist != NULL)) { if (likely(js_resplist != NULL)) {
FTPString *response;
json_t *resp_code = NULL; json_t *resp_code = NULL;
TAILQ_FOREACH(response, &tx->response_list, next) { TAILQ_FOREACH(response, &tx->response_list, next) {
if (!resp_code && response->len >= 3) { if (!resp_code && response->len >= 3) {

Write Preview
Loading…
Cancel
Save