base/protocols/ftp/gridftp.bro

GridFTP

A detection script for GridFTP data and control channels.

GridFTP control channels are identified by FTP control channels that successfully negotiate the GSSAPI method of an AUTH request and for which the exchange involved an encoded TLS/SSL handshake, indicating the GSI mechanism for GSSAPI was used. This analysis is all supported internally, this script simply adds the “gridftp” label to the service field of the control channel’s connection record.

GridFTP data channels are identified by a heuristic that relies on the fact that default settings for GridFTP clients typically mutually authenticate the data channel with TLS/SSL and negotiate a NULL bulk cipher (no encryption). Connections with those attributes are then polled for two minutes with decreasing frequency to check if the transfer sizes are large enough to indicate a GridFTP data channel that would be undesirable to analyze further (e.g. stop TCP reassembly). A side effect is that true connection sizes are not logged, but at the benefit of saving CPU cycles that would otherwise go to analyzing the large (and likely benign) connections.

Namespace:GridFTP
Imports:base/frameworks/notice, base/protocols/conn, base/protocols/ftp/info.bro, base/protocols/ftp/main.bro, base/protocols/ssl
Source File:/scripts/base/protocols/ftp/gridftp.bro

Summary

Options

GridFTP::max_poll_count: count &redef Max number of times to check whether a connection’s size exceeds the GridFTP::size_threshold.
GridFTP::poll_interval: interval &redef Base amount of time between checking whether a GridFTP data connection has transferred more than GridFTP::size_threshold bytes.
GridFTP::poll_interval_increase: interval &redef The amount of time the base GridFTP::poll_interval is increased by each poll interval.
GridFTP::size_threshold: count &redef Number of bytes transferred before guessing a connection is a GridFTP data channel.
GridFTP::skip_data: bool &redef Whether to skip further processing of the GridFTP data channel once detected, which may help performance.

Redefinitions

FTP::Info: record  

Events

GridFTP::data_channel_detected: event Raised when a GridFTP data channel is detected.

Functions

GridFTP::data_channel_initial_criteria: function &redef The initial criteria used to determine whether to start polling the connection for the GridFTP::size_threshold to have been exceeded.

Detailed Interface

Options

GridFTP::max_poll_count
Type:count
Attributes:&redef
Default:15

Max number of times to check whether a connection’s size exceeds the GridFTP::size_threshold.

GridFTP::poll_interval
Type:interval
Attributes:&redef
Default:1.0 sec

Base amount of time between checking whether a GridFTP data connection has transferred more than GridFTP::size_threshold bytes.

GridFTP::poll_interval_increase
Type:interval
Attributes:&redef
Default:1.0 sec

The amount of time the base GridFTP::poll_interval is increased by each poll interval. Can be used to make more frequent checks at the start of a connection and gradually slow down.

GridFTP::size_threshold
Type:count
Attributes:&redef
Default:1073741824

Number of bytes transferred before guessing a connection is a GridFTP data channel.

GridFTP::skip_data
Type:bool
Attributes:&redef
Default:T

Whether to skip further processing of the GridFTP data channel once detected, which may help performance.

Events

GridFTP::data_channel_detected
Type:event (c: connection)

Raised when a GridFTP data channel is detected.

C:The connection pertaining to the GridFTP data channel.

Functions

GridFTP::data_channel_initial_criteria
Type:function (c: connection) : bool
Attributes:&redef

The initial criteria used to determine whether to start polling the connection for the GridFTP::size_threshold to have been exceeded. This is called in a ssl_established event handler and by default looks for both a client and server certificate and for a NULL bulk cipher. One way in which this function could be redefined is to make it also consider client/server certificate issuer subjects.

C:The connection which may possibly be a GridFTP data channel.
Returns:true if the connection should be further polled for an exceeded GridFTP::size_threshold, else false.
Copyright 2013, The Bro Project. Last updated on June 15, 2015. Created using Sphinx 1.2.2.