FTP Session Logging
Published Mar 17, 2015
Version 1.0Was this article helpful?
The regex doesn't work to capture a username with a dot or other special characters in it. And, regex can be expensive cpu wise.
This irule seems to work well by just matching on the payload containing USER and printing that, then you don't even need the regex. Also lets you capture if someone is trying to brute force with other special characters.
Rule /Common/log_ftp_sessions : FTP 10.0.0.0:60469: collected payload (30): USER S:LDEFJ:SLDFJS:DLFJ@@%
check if payload contains the string we want to log
if { [TCP::payload] contains "USER" } {
log local0. "FTP Client IP [IP::client_addr]:[TCP::client_port]: ([TCP::payload length]): [TCP::payload]"
Although of course, if the user's password is USER, it'll capture the password.. but you're using stricter password requirements than that, right? 😉