detect/ftp: Tests for ftp.completion

This commit adds test cases for the rule keyword ftp.completion_code

Note that ftp.completion code can be used
- individually
- with other ftp keywords, e.g., ftp.reply

diff --git a/tests/detect-ftp/ftp-completion-code-01/README.md b/tests/detect-ftp/ftp-completion-code-01/README.md
new file mode 100644 (file)
index 0000000..df8067e
--- /dev/null
+++ b/tests/detect-ftp/ftp-completion-code-01/README.md
@@ -0,0 +1,10 @@
+Test
+====
+
+Verify that operation of the `ftp.completion-code` keyword.
+
+PCAP
+====
+
+This test uses the pcap from `bug-3519`
+

diff --git a/tests/detect-ftp/ftp-completion-code-01/input.rules b/tests/detect-ftp/ftp-completion-code-01/input.rules
new file mode 100644 (file)
index 0000000..6276009
--- /dev/null
+++ b/tests/detect-ftp/ftp-completion-code-01/input.rules
@@ -0,0 +1,11 @@
+alert ftp any any -> any any (msg: "Match on FTP completion-code #1"; flow:established; ftp.completion_code; content:"331"; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP completion-code #2"; flow:established; ftp.completion_code; content:"230"; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP completion-code #3"; flow:established; ftp.completion_code; content:"226"; sid:3;)
+alert ftp any any -> any any (msg: "Match on FTP completion-code #4"; flow:established; ftp.completion_code; content:"221"; sid:4;)
+alert ftp any any -> any any (msg: "Match on FTP completion-code #5"; flow:established; ftp.completion_code; content:"150"; sid:5;)
+alert ftp any any -> any any (msg: "Match on FTP completion-code #6"; flow:established; ftp.reply; content: "Please specify the password."; ftp.completion_code; content:"331"; sid:10;)
+alert ftp any any -> any any (msg: "Match on FTP completion-code #7"; flow:established; ftp.reply; content: "Login successful.";ftp.completion_code; content:"230"; sid:20;)
+alert ftp any any -> any any (msg: "Match on FTP completion-code #8"; flow:established; ftp.reply; content: "Directory send OK.";ftp.completion_code; content:"226"; sid:30;)
+alert ftp any any -> any any (msg: "Match on FTP completion-code #9"; flow:established; ftp.reply; content: "Goodbye.";ftp.completion_code; content:"221"; sid:40;)
+alert ftp any any -> any any (msg: "Match on FTP completion-code #10"; flow:established; ftp.reply; content: "Here comes the directory listing.";ftp.completion_code; content:"150"; sid:50;)
+alert ftp any any -> any any (msg: "Match on FTP completion-code #11"; flow:established; ftp.reply; content: "Transfer complete.";ftp.completion_code; content:"226"; sid:60;)

diff --git a/tests/detect-ftp/ftp-completion-code-01/test.yaml b/tests/detect-ftp/ftp-completion-code-01/test.yaml
new file mode 100644 (file)
index 0000000..d89bec7
--- /dev/null
+++ b/tests/detect-ftp/ftp-completion-code-01/test.yaml
@@ -0,0 +1,134 @@
+pcap: ../../bug-3519/input.pcap
+
+requires:
+  min-version: 8
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.completion_code.__contains: '331'
+        ftp.reply.__contains: 'Please specify the password.'
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.completion_code.__contains: '230'
+        ftp.reply.__contains: 'Login successful.'
+        alert.signature_id: 2
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.completion_code.__contains: '226'
+        ftp.reply.__contains: 'Directory send OK.'
+        alert.signature_id: 3
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.completion_code.__contains: '221'
+        ftp.reply.__contains: 'Goodbye.'
+        alert.signature_id: 4
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: "RETR"
+        ftp.completion_code.__contains: '150'
+        ftp.reply.__contains: 'Opening BINARY mode data connection for temp.txt (1164 bytes).'
+        alert.signature_id: 5
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: "RETR"
+        ftp.completion_code.__contains: '226'
+        ftp.reply.__contains: 'Transfer complete.'
+        alert.signature_id: 5
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: "USER"
+        ftp.completion_code.__contains: '331'
+        ftp.reply.__contains: 'Please specify the password.'
+        alert.signature_id: 10
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.completion_code.__contains: '230'
+        ftp.reply.__contains: 'Login successful.'
+        alert.signature_id: 20
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.completion_code.__contains: '150'
+        ftp.reply.__contains: 'Here comes the directory listing.'
+        alert.signature_id: 30
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.completion_code.__contains: '226'
+        ftp.reply.__contains: 'Directory send OK.'
+        alert.signature_id: 30
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: "QUIT"
+        ftp.completion_code.__contains: '221'
+        ftp.reply.__contains: 'Goodbye.'
+        alert.signature_id: 40
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: "NLST"
+        ftp.completion_code.__contains: '150'
+        ftp.reply.__contains: 'Here comes the directory listing.'
+        alert.signature_id: 50
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: "NLST"
+        ftp.completion_code.__contains: '226'
+        ftp.reply.__contains: 'Directory send OK.'
+        alert.signature_id: 50
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: "RETR"
+        ftp.completion_code.__contains: '150'
+        ftp.reply.__contains: 'Opening BINARY mode data connection for temp.txt (1164 bytes).'
+        alert.signature_id: 60
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: "RETR"
+        ftp.completion_code.__contains: '226'
+        ftp.reply.__contains: 'Transfer complete.'
+        alert.signature_id: 60