Save FTP payloads

[t3chn0m4g3]

@glaslos Is it planned for glutton to have the option to store payloads as i.e. honeytrap does?

[glaslos]

Don't you have a payloads folder that keeps filling up your disc and crashes your sensors?

[t3chn0m4g3]

@glaslos

🐣

glutton/protocols/tcp/tcp.go

Line 39 in c1204c6

path := filepath.Join("payloads", sha256Hash)

It is not even easter yet and you made me find the easter-egg 😅

[t3chn0m4g3]

@glaslos While seeing payload messages in the log, the payloads folder will not be created. Rebuilt glutton from scratch, started r/w container, pre-created the payloads folder, started glutton even with root privileges; without success.

Log example:

{"time":"2024-03-05T17:10:35.619556256Z","level":"INFO","msg":"ftp payload received","sensorID":"923e4231-e6df-45b3-b2f4-5498394db6da","dest_port":"21","src_ip":"2.2.2.2","src_port":"50368","message":"\"\\x16\\x03\\x00\\x00S\\x01\\x00\\x00O\\x03\\x00?G\\xd7\\xf7\\xba,\\xee\\xea\\xb2`~\\xf3\\x00\\xfd\\x82{\\xb9Ֆ\\xc8w\\x9b\\xe6\\xc4\\xdb<=\\xdbo\\xef\\x10n\\x00\\x00(\\x00\\x16\\x00\\x13\\x00\\n\"","handler":"ftp"}

Expected this to be logged into the payloads folder.

[glaslos]

Ah, this is FTP. I don't store the payload yet. TCP is specifically if i don't have a handler. In case I ever get around to go through may treasure-trove of TCP payloads 😛

[t3chn0m4g3]

Sure thing. Thanks.