For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

FTP Session Logging

Problem this snippet solves: This iRule logs FTP connections and username information. By default connection mapping from client through BIG-IP to server is logged as well as the username entered by...
Published Mar 17, 2015
Version 1.0
application delivery
devops
iRules
reporting
kokushibyou_519's avatar
kokushibyou_519
Icon for Nimbostratus rankNimbostratus
Sep 20, 2018

The regex doesn't work to capture a username with a dot or other special characters in it. And, regex can be expensive cpu wise.

This irule seems to work well by just matching on the payload containing USER and printing that, then you don't even need the regex. Also lets you capture if someone is trying to brute force with other special characters.

Rule /Common/log_ftp_sessions : FTP 10.0.0.0:60469: collected payload (30): USER S:LDEFJ:SLDFJS:DLFJ@@%

 check if payload contains the string we want to log
if { [TCP::payload] contains "USER" } {
    log local0. "FTP Client IP [IP::client_addr]:[TCP::client_port]: ([TCP::payload length]): [TCP::payload]"

Although of course, if the user's password is USER, it'll capture the password.. but you're using stricter password requirements than that, right? 😉