detect/ftp: Tests for ftp.dynamic_port

Add tests for FTP's dynamic_port -- active and passive.

The ftp-active-dynamic_port-01 test case includes tests for the
comparison operands -- since the implementation uses the U16 matching
and parsing logic, only one test case has the additional test cases.

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-01/input.rules b/tests/detect-ftp/ftp-active-dynamic_port-01/input.rules
new file mode 100644 (file)
index 0000000..c322d5e
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-01/input.rules
@@ -0,0 +1,7 @@
+alert ftp any any -> any any (msg: "Match on FTP active port #1"; flow:to_server; ftp.dynamic_port: 59914; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP active port #2: equality"; flow:to_server; ftp.dynamic_port: =59926; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP active port #3: >="; flow:to_server; ftp.dynamic_port: >=59926; sid:3;)
+alert ftp any any -> any any (msg: "Match on FTP active port #4: <="; flow:to_server; ftp.dynamic_port: <=59926; sid:4;)
+alert ftp any any -> any any (msg: "Match on FTP active port #5: <"; flow:to_server; ftp.dynamic_port: <59927; sid:5;)
+alert ftp any any -> any any (msg: "Match on FTP active port #6: >"; flow:to_server; ftp.dynamic_port: >59925; sid:6;)
+alert ftp any any -> any any (msg: "Match on FTP active port #7: range"; flow:to_server; ftp.dynamic_port: 59925-59927; sid:7;)

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml b/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml
new file mode 100644 (file)
index 0000000..435d03d
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml
@@ -0,0 +1,63 @@
+pcap: ../../bug-3519/input.pcap
+
+requires:
+  version: 8
+
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59914
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 2
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 3
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 4
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 5
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 6
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 7

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/Makefile b/tests/detect-ftp/ftp-active-dynamic_port-02/Makefile
new file mode 100644 (file)
index 0000000..054932a
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/Makefile
@@ -0,0 +1,2 @@
+ftp-active-dynamic_port.pcap: ftp-active-dynamic_port.syn
+       flowsynth.py -f pcap -w $@ $^

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/README.md b/tests/detect-ftp/ftp-active-dynamic_port-02/README.md
new file mode 100644 (file)
index 0000000..35b1cea
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/README.md
@@ -0,0 +1,3 @@
+pcap made with flowsynth
+
+https://github.com/secureworks/flowsynth

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.pcap b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.pcap
new file mode 100644 (file)
index 0000000..7558fd8
Binary files /dev/null and b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.pcap differ

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.syn b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.syn
new file mode 100644 (file)
index 0000000..b67be59
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.syn
@@ -0,0 +1,10 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:21 (tcp.initialize; mss: 9000;);
+default < (content:"220 (Ftp Server)\x0d\x0a";);
+default > (content:"USER user\x0d\x0a";);
+default < (content:"331 Please specify the password.\x0d\x0a";);
+default > (content:"PASS password\x0d\x0a";);
+default < (content:"230 Login successful.\x0d\x0a";);
+default > (content:"EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|34325|\x0d\x0a";);
+default < (content:"200 EPRT command successful. Consider using EPSV\x0d\x0a";);
+default < (content:"QUIT\x0d\x0a";);
+default < (content:"221 Goodbye.\x0d\x0a";);

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/input.rules b/tests/detect-ftp/ftp-active-dynamic_port-02/input.rules
new file mode 100644 (file)
index 0000000..ba85abc
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP active port #1"; ftp.dynamic_port: 34325; sid:1;)

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml b/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml
new file mode 100644 (file)
index 0000000..a3fe080
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml
@@ -0,0 +1,16 @@
+pcap: ftp-active-dynamic_port.pcap
+
+requires:
+  version: 8
+
+args:
+- -k none
+checks:
+
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        ftp.command: EPRT
+        ftp.dynamic_port: 34325
+        alert.signature_id: 1

diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-01/input.rules b/tests/detect-ftp/ftp-passive-dynamic_port-01/input.rules
new file mode 100644 (file)
index 0000000..17e5797
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-01/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP EPSV port"; flow:to_server; ftp.dynamic_port: 58612; sid:1;)

diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml b/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml
new file mode 100644 (file)
index 0000000..e6d25b2
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../../ftp-epsv/input.pcap
+
+requires:
+  version: 8
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: EPSV
+        ftp.dynamic_port: 58612
+        alert.signature_id: 1

diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/Makefile b/tests/detect-ftp/ftp-passive-dynamic_port-02/Makefile
new file mode 100644 (file)
index 0000000..bb99b73
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/Makefile
@@ -0,0 +1,3 @@
+ftp-passive-dynamic_port.pcap: ftp-passive-dynamic_port.syn
+       flowsynth.py -f pcap -w $@ $^
+

diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.pcap b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.pcap
new file mode 100644 (file)
index 0000000..a0a0db5
Binary files /dev/null and b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.pcap differ

diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.syn b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.syn
new file mode 100644 (file)
index 0000000..43e0521
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.syn
@@ -0,0 +1,14 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:21 (tcp.initialize; mss: 9000;);
+default < (content:"220 (Ftp Server)\x0d\x0a";);
+default > (content:"USER user\x0d\x0a";);
+default < (content:"331 Please specify the password.\x0d\x0a";);
+default > (content:"PASS password\x0d\x0a";);
+default < (content:"230 Login successful.\x0d\x0a";);
+default > (content:"SYST\x0d\x0a";);
+default < (content:"215 UNIX Type: L8\x0d\x0a";);
+default > (content:"TYPE I\x0d\x0a";);
+default < (content:"200 Switching to Binary mode.\x0d\x0a";);
+default > (content:"PASV\x0d\x0a";);
+default < (content:"227 Entering Passive Mode (2,2,2,2,185,13).\x0d\x0a";);
+default > (content:"RETR index.html\x0d\x0a";);
+default < (content:"550 Failed to open file.\x0d\x0a";);

diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/input.rules b/tests/detect-ftp/ftp-passive-dynamic_port-02/input.rules
new file mode 100644 (file)
index 0000000..0d24493
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP EPSV port"; flow:to_server; ftp.dynamic_port: 47373; sid:1;)

diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml b/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml
new file mode 100644 (file)
index 0000000..85ccf59
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml
@@ -0,0 +1,14 @@
+pcap: ftp-passive-dynamic_port.pcap
+
+requires:
+  version: 8
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PASV
+        ftp.dynamic_port: 47373
+        alert.signature_id: 1