Project

General

Profile

Actions
Copy link

Bug #5778

open

ftp fileinfo and extraction seem not to trigger when it should

Added by Peter Manev over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
6.0.9, git master
Effort:
Difficulty:
Label:

Description

I have tested current master and latest stable 6.0.9.
Please see the attached pcap TLPW.
I may be wrong , but i don't see a reason why we should , the very least have some ftp fileinfo events.
Wireshark also does not extract the files - just for info.
I thought this is better to be logged and investigated rather, hence opening the issue.

Files

Download all files
TLPW-ftp-data-single-case-winzip.tar.xz (13.2 MB) TLPW-ftp-data-single-case-winzip.tar.xz Peter Manev, 01/08/2023 01:42 PM
ftp2.pcap (10.7 MB) ftp2.pcap Andreas Herz, 01/10/2023 10:39 AM
Actions
Copy link
 #1

Updated by Peter Manev over 1 year ago

In my previous message 

why we should

should read 
why we should not

Actions
Copy link
 #2

Updated by Peter Manev over 1 year ago

Please be careful if you extract files - the pcap should contain malware.

Actions
Copy link
 #3

Updated by Andreas Herz over 1 year ago

I found another pcap with ftp-data where the file extraction is working, but not properly. It's octet-stream/data instead of zip. Not sure if it's expected or if we could do better on this protocol.

Actions
Copy link

Also available in: Atom PDF