# THUNDER PRM LIBRARY
# Copyright 2008 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# filezilla log events
#
# DESCRIPTION:
# This library is used to parse events from a filezilla ftp server.
#
# LAST UPDATE: $Date: 2011/08/22 00:54:47 $

id=4900
name=The Filezilla FTP server has closed a connection due to login time exceeded.
match=Lo
match=Login
match=ont
match=ol
match=lo
match=ion
match=ing
match=ce
match=ed
match=)> 421 Login time exceeded. Closing control connection.
match=ect
match=onnect
match=onnection
regex=\(([0-9]+(\.[0-9]+){3})\)> 421 Login time exceeded. Closing control connection. 
log=event:Filezilla-Login_Time_Exceeded type:login-failure srcip:$1 dstport:21 proto:6

NEXT

id=4901
name=The Filezilla FTP server has logged a connected message and sent a welcome message.
match=onnect
match=ect
match=ing
match=ed
match=ss
match=)> Connected, sending welcome message
regex=\(([0-9]+(\.[0-9]+){3})\)> Connected, sending welcome message
log=event:Filezilla-Connection type:connection srcip:$1 dstport:21 proto:6

NEXT

id=4902
name=The Filezilla FTP server has detected a bad login or a bad password.
match=Lo
match=Login
match=rr
match=ss
match=ass
match=)> 530 Login or password incorrect!
match=ect
regex=\(([0-9]+(\.[0-9]+){3})\)> 530 Login or password incorrect!
log=event:Filezilla-Incorrect_Password type:login-failure srcip:$1 dstport:21 proto:6

NEXT

id=4903
name=The Filezilla FTP server has logged its version number.
match=ion
match=ersion
match=le
match=)> 220-FileZilla Server version
regex=\(([0-9]+(\.[0-9]+){3})\)> 220-FileZilla Server version
log=event:Filezilla-Version type:application srcip:$1 dstport:21 proto:6

NEXT

id=4904
name=The Filezilla FTP server had a valid user login.
match=ed
match=ogged
match=Lo
match=)> 230 Logged on
regex=\(([0-9]+(\.[0-9]+){3})\)> 230 Logged on
log=event:Filezilla-Login type:login srcip:$1 dstport:21 proto:6

NEXT

id=4905
name=The Filezilla FTP server had a user open a data channel for a directory list.
match=ire
match=direct
match=ect
match=ing
match=)> 150 Opening data channel for directory list.
match=an
regex=\(([0-9]+(\.[0-9]+){3})\)> 150 Opening data channel for directory list.
log=event:Filezilla-Directory_Listing type:application srcip:$1 dstport:21 proto:6

NEXT

id=4906
name=The Filezilla FTP server has recorded a successful change of directory command.
match=ire
match=direct
match=ect
match=ce
match=ss
match=)> 250 CWD successful.
match=ent
match=rr
match=is current directory.
regex=\(([0-9]+(\.[0-9]+){3})\)> 250 CWD successful.
log=event:Filezilla-CWD_Successful type:application srcip:$1 dstport:21 proto:6

NEXT

id=4907
name=The Filezilla FTP server had a user retrieve a file.
match=TR
match=RETR
match=)> RETR
regex=\(([0-9]+(\.[0-9]+){3})\)> RETR
log=event:Filezilla-User_Has_Retrieved_File type:file-access dstport:21 proto:6

NEXT

id=4908
name=The Filezilla FTP server has recorded a failed change of working directory attempt. This could mean they've tried to obtain information they are not allowed to have access to. 
match=CWD
match=ail
match=le
match=ed
match=ailed
match=)> 550 CWD failed.
regex=\(([0-9]+(\.[0-9]+){3})\)> 550 CWD failed.
log=event:Filezilla-CWD_Failed type:access-denied dstport:21 proto:6

NEXT

id=4910
name=The Filezilla FTP server has recorded a file STOR request which indicates a request to upload a file. 
match=ST
match=STOR
match=)> STOR
regex=\(([0-9]+(\.[0-9]+){3})\)> STOR
log=event:Filezilla-File_Upload_Request type:file-access dstport:21 proto:6