base/protocols/ftp/gridftp.bro
-
GridFTP
A detection script for GridFTP data and control channels.
GridFTP control channels are identified by FTP control channels
that successfully negotiate the GSSAPI method of an AUTH request
and for which the exchange involved an encoded TLS/SSL handshake,
indicating the GSI mechanism for GSSAPI was used. This analysis
is all supported internally, this script simply adds the “gridftp”
label to the service field of the control channel’s
connection record.
GridFTP data channels are identified by a heuristic that relies on
the fact that default settings for GridFTP clients typically
mutually authenticate the data channel with TLS/SSL and negotiate a
NULL bulk cipher (no encryption). Connections with those
attributes are then polled for two minutes with decreasing frequency
to check if the transfer sizes are large enough to indicate a
GridFTP data channel that would be undesirable to analyze further
(e.g. stop TCP reassembly). A side effect is that true connection
sizes are not logged, but at the benefit of saving CPU cycles that
would otherwise go to analyzing the large (and likely benign) connections.
Detailed Interface
Options
-
GridFTP::max_poll_count
-
Max number of times to check whether a connection’s size exceeds the
GridFTP::size_threshold.
-
GridFTP::poll_interval
-
Base amount of time between checking whether a GridFTP data connection
has transferred more than GridFTP::size_threshold bytes.
-
GridFTP::poll_interval_increase
-
The amount of time the base GridFTP::poll_interval is
increased by each poll interval. Can be used to make more frequent
checks at the start of a connection and gradually slow down.
-
GridFTP::size_threshold
-
Number of bytes transferred before guessing a connection is a
GridFTP data channel.
-
GridFTP::skip_data
-
Whether to skip further processing of the GridFTP data channel once
detected, which may help performance.
Events
-
GridFTP::data_channel_detected
-
Raised when a GridFTP data channel is detected.
C: | The connection pertaining to the GridFTP data channel. |
Functions
-
GridFTP::data_channel_initial_criteria
-
The initial criteria used to determine whether to start polling
the connection for the GridFTP::size_threshold to have
been exceeded. This is called in a ssl_established event
handler and by default looks for both a client and server certificate
and for a NULL bulk cipher. One way in which this function could be
redefined is to make it also consider client/server certificate
issuer subjects.
C: | The connection which may possibly be a GridFTP data channel. |
Returns: | true if the connection should be further polled for an
exceeded GridFTP::size_threshold, else false. |