FTP over SSL, how to check in FTP Logs.

Technorati Tags: FTP over SSL SSL FTPS IIS7 FTP FTP Logs

I was working with one of my customer who was trying to figure out how to check whether FTP is using SSL or not. Well, first of all I couldn't find out how exactly we can do it. But later on figured it out. In FTP log fields, there is a W3C logging field called Method (cs-method).

clip_image002[5]

In order to find the difference I first used FTP without SSL and then with SSL. Below are the two logs.

Without SSL

===========

#Software: Microsoft Internet Information Services 7.0

#Version: 1.0

#Date: 2008-12-17 21:45:24

#Fields: date time c-ip c-port cs-username s-sitename s-computername sc-host s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus sc-bytes cs-bytes time-taken x-session x-fullpath x-debug

2008-12-17 21:45:24 65.52.18.179 65491 - FTPSVC3 ComputerName - 65.52.22.60 21 ControlChannelOpened - - 0 0 0 0 0 bd8ac5be-aad1-405a-a591-49ad5cee540a - -

2008-12-17 21:45:24 65.52.18.179 65491 - FTPSVC3 ComputerName - 65.52.22.60 21 USER UserName 331 0 0 43 21 0 bd8ac5be-aad1-405a-a591-49ad5cee540a - -

2008-12-17 21:45:24 65.52.18.179 65491 UserName FTPSVC3 ComputerName - 65.52.22.60 21 PASS *** 230 0 0 21 16 46 bd8ac5be-aad1-405a-a591-49ad5cee540a / -

2008-12-17 21:45:24 65.52.18.179 65491 UserName FTPSVC3 ComputerName - 65.52.22.60 21 PWD - 257 0 0 31 5 0 bd8ac5be-aad1-405a-a591-49ad5cee540a - -

2008-12-17 21:45:24 65.52.18.179 65491 UserName FTPSVC3 ComputerName - 65.52.22.60 21 FEAT - 211 0 0 135 6 0 bd8ac5be-aad1-405a-a591-49ad5cee540a - -

2008-12-17 21:45:24 65.52.18.179 65491 UserName FTPSVC3 ComputerName - 65.52.22.60 21 REST 100 350 0 0 24 10 0 bd8ac5be-aad1-405a-a591-49ad5cee540a - -

2008-12-17 21:45:24 65.52.18.179 65491 UserName FTPSVC3 ComputerName - 65.52.22.60 21 REST 0 350 0 0 22 8 0 bd8ac5be-aad1-405a-a591-49ad5cee540a - -

2008-12-17 21:45:24 65.52.18.179 65491 UserName FTPSVC3 ComputerName - 65.52.22.60 21 PASV - 227 0 0 50 6 0 bd8ac5be-aad1-405a-a591-49ad5cee540a - -

2008-12-17 21:45:24 65.52.18.179 65492 UserName FTPSVC3 ComputerName - 65.52.22.60 59032 DataChannelOpened - - 0 0 0 0 0 bd8ac5be-aad1-405a-a591-49ad5cee540a - -

2008-12-17 21:45:24 65.52.18.179 65492 UserName FTPSVC3 ComputerName - 65.52.22.60 59032 DataChannelClosed - - 0 0 1856 0 0 bd8ac5be-aad1-405a-a591-49ad5cee540a - -

2008-12-17 21:45:24 65.52.18.179 65491 UserName FTPSVC3 ComputerName - 65.52.22.60 21 LIST - 226 0 0 1921 6 78 bd8ac5be-aad1-405a-a591-49ad5cee540a / -

2008-12-17 21:45:31 65.52.18.179 65491 UserName FTPSVC3 ComputerName - 65.52.22.60 21 ControlChannelClosed - - 1236 0 418 78 7254 bd8ac5be-aad1-405a-a591-49ad5cee540a - -

Here in these logs, we are not using SSL, therefore we do not see AUTH SSL or PBSZ entry in the logs.

With SSL

=========

#Software: Microsoft Internet Information Services 7.0

#Version: 1.0

#Date: 2008-12-17 21:46:16

#Fields: date time c-ip c-port cs-username s-sitename s-computername sc-host s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus sc-bytes cs-bytes time-taken x-session x-fullpath x-debug

2008-12-17 21:46:16 65.52.18.179 65502 - FTPSVC3 ComputerName - 65.52.22.60 21 ControlChannelOpened - - 0 0 0 0 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:16 65.52.18.179 65502 - FTPSVC3 ComputerName - 65.52.22.60 21 AUTH SSL 234 0 0 22 10 62 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65502 - FTPSVC3 ComputerName - 65.52.22.60 21 PBSZ 0 200 0 0 69 8 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65502 - FTPSVC3 ComputerName - 65.52.22.60 21 USER UserName 331 0 0 69 21 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65502 UserName FTPSVC3 ComputerName - 65.52.22.60 21 PASS *** 230 0 0 53 16 47 40392027-3887-4ad3-aaf2-b4d3c49c96d2 / -

2008-12-17 21:46:20 65.52.18.179 65502 UserName FTPSVC3 ComputerName - 65.52.22.60 21 PWD - 257 0 0 69 5 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65502 UserName FTPSVC3 ComputerName - 65.52.22.60 21 FEAT - 211 0 0 297 6 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65502 UserName FTPSVC3 ComputerName - 65.52.22.60 21 REST 100 350 0 0 53 10 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65502 UserName FTPSVC3 ComputerName - 65.52.22.60 21 REST 0 350 0 0 53 8 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65502 UserName FTPSVC3 ComputerName - 65.52.22.60 21 PBSZ 0 200 0 0 69 8 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65502 UserName FTPSVC3 ComputerName - 65.52.22.60 21 PROT P 200 0 0 69 8 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65502 UserName FTPSVC3 ComputerName - 65.52.22.60 21 PASV - 227 0 0 85 6 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65503 UserName FTPSVC3 ComputerName - 65.52.22.60 59043 DataChannelOpened - - 0 0 0 0 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65503 UserName FTPSVC3 ComputerName - 65.52.22.60 59043 DataChannelClosed - - 0 0 1930 474 0 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

2008-12-17 21:46:20 65.52.18.179 65502 UserName FTPSVC3 ComputerName - 65.52.22.60 21 LIST - 226 0 0 2052 480 47 40392027-3887-4ad3-aaf2-b4d3c49c96d2 / -

2008-12-17 21:46:26 65.52.18.179 65502 UserName FTPSVC3 ComputerName - 65.52.22.60 21 ControlChannelClosed - - 1236 0 2005 1320 9906 40392027-3887-4ad3-aaf2-b4d3c49c96d2 - -

I have highlighted the difference in the cs-method column. In the second line we see the AUTH SSL  method. This confirms we are using SSL for the data channel. Also, PBSZ and PROT confirm that data channel is using SSL. You can refer the following link for reference(https://tools.ietf.org/html/draft-murray-auth-ftp-ssl-00)

Hope you will find it useful.