Project

General

Profile

Actions
Copy link

Bug #5778

open
PM OD

ftp fileinfo and extraction seem not to trigger when it should

Bug #5778: ftp fileinfo and extraction seem not to trigger when it should

Added by Peter Manev over 3 years ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
6.0.9, git main
Effort:
Difficulty:
Label:

Description

I have tested current master and latest stable 6.0.9.
Please see the attached pcap TLPW.
I may be wrong , but i don't see a reason why we should , the very least have some ftp fileinfo events.
Wireshark also does not extract the files - just for info.
I thought this is better to be logged and investigated rather, hence opening the issue.

Files

Download all files
TLPW-ftp-data-single-case-winzip.tar.xz (13.2 MB) TLPW-ftp-data-single-case-winzip.tar.xz Peter Manev, 01/08/2023 01:42 PM
ftp2.pcap (10.7 MB) ftp2.pcap Andreas Herz, 01/10/2023 10:39 AM

PM Updated by Peter Manev over 3 years ago Actions
Copy link
 #1

In my previous message 

why we should

should read 
why we should not

PM Updated by Peter Manev over 3 years ago Actions
Copy link
 #2

Please be careful if you extract files - the pcap should contain malware.

AH Updated by Andreas Herz over 3 years ago Actions
Copy link
 #3

I found another pcap with ftp-data where the file extraction is working, but not properly. It's octet-stream/data instead of zip. Not sure if it's expected or if we could do better on this protocol.

PA Updated by Philippe Antoine 8 months ago Actions
Copy link
 #4

  • Status changed from New to Feedback

I may be wrong , but i don't see a reason why we should , the very least have some ftp fileinfo events.

We need to see the FTP flow to know that this is ftp-data
What did you expect ?

Actions
Copy link

Also available in: PDF Atom