 |
Myra Canyon
v0.0.1-768
network control
|
|
|
Myra Canyon
v0.0.1-768
network control
|
|
Detect and examine plain text FTP packets. More...
Functions | |
| bool | examine (Flow &flow, const Myra::PktInfo &info) |
| Examine a packet for FTP, and mark the flow if found. More... | |
| bool | helper (Flow &flow, const Myra::PktInfo &info) |
| Helper exam to detect when a data connection will be taking place. More... | |
Detect and examine plain text FTP packets.
| bool Myra::Traffic::FTP::examine | ( | Myra::Flow & | flow, |
| const Myra::PktInfo & | info | ||
| ) |
Examine a packet for FTP, and mark the flow if found.
true if this exam needs to be called again for the given flow false if this exam never needs to be called again Within the first few packets, look for:
^220[- ].*\r\n
A simple example:
0: 32 32 30 20 46 69 6c 65 43 61 74 61 6c 79 73 74 20 53 65 72 76 65 72 20 45 6e 74 65 72 70 72 69 - 220 FileCatalyst Server Enterpri 20: 73 65 20 76 33 2e 34 20 42 75 69 6c 64 20 31 31 20 28 30 36 2f 30 35 2f 32 30 31 34 20 31 36 31 - se v3.4 Build 11 (06/05/2014 161 40: 38 29 0d 0a - 8)..
A more complex example with the "-" continuation character after the 220 response code:
| bool Myra::Traffic::FTP::helper | ( | Myra::Flow & | flow, |
| const Myra::PktInfo & | info | ||
| ) |
Helper exam to detect when a data connection will be taking place.
This exam is automatically added to a flow once FTP::examine() has detected that a flow is Traffic::Type::FTP.
true if this exam needs to be called again for the given flow false if this exam never needs to be called again Look for traffic like this which contains both the IP address and port we expect to see for the data connections:
0: 32 32 37 20 45 6e 74 65 72 69 6e 67 20 50 61 73 73 69 76 65 20 4d 6f 64 65 20 28 31 39 32 2c 31 - 227 Entering Passive Mode (192,1 20: 36 38 2c 31 2c 33 2c 33 34 2c 31 36 35 29 0d 0a - 68,1,3,34,165)..
1.8.8