From: Jeff Lucovsky Date: Tue, 8 Apr 2025 11:25:08 +0000 (-0400) Subject: detect/ftp: Tests for ftp.completion X-Git-Tag: suricata-7.0.11~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0de79633b856e2d15b89c298e66b4b92c0f93065;p=thirdparty%2Fsuricata-verify.git detect/ftp: Tests for ftp.completion This commit adds test cases for the rule keyword ftp.completion_code Note that ftp.completion code can be used - individually - with other ftp keywords, e.g., ftp.reply --- diff --git a/tests/detect-ftp/ftp-completion-code-01/README.md b/tests/detect-ftp/ftp-completion-code-01/README.md new file mode 100644 index 000000000..df8067edd --- /dev/null +++ b/tests/detect-ftp/ftp-completion-code-01/README.md @@ -0,0 +1,10 @@ +Test +==== + +Verify that operation of the `ftp.completion-code` keyword. + +PCAP +==== + +This test uses the pcap from `bug-3519` + diff --git a/tests/detect-ftp/ftp-completion-code-01/input.rules b/tests/detect-ftp/ftp-completion-code-01/input.rules new file mode 100644 index 000000000..627600955 --- /dev/null +++ b/tests/detect-ftp/ftp-completion-code-01/input.rules @@ -0,0 +1,11 @@ +alert ftp any any -> any any (msg: "Match on FTP completion-code #1"; flow:established; ftp.completion_code; content:"331"; sid:1;) +alert ftp any any -> any any (msg: "Match on FTP completion-code #2"; flow:established; ftp.completion_code; content:"230"; sid:2;) +alert ftp any any -> any any (msg: "Match on FTP completion-code #3"; flow:established; ftp.completion_code; content:"226"; sid:3;) +alert ftp any any -> any any (msg: "Match on FTP completion-code #4"; flow:established; ftp.completion_code; content:"221"; sid:4;) +alert ftp any any -> any any (msg: "Match on FTP completion-code #5"; flow:established; ftp.completion_code; content:"150"; sid:5;) +alert ftp any any -> any any (msg: "Match on FTP completion-code #6"; flow:established; ftp.reply; content: "Please specify the password."; ftp.completion_code; content:"331"; sid:10;) +alert ftp any any -> any any (msg: "Match on FTP completion-code #7"; flow:established; ftp.reply; content: "Login successful.";ftp.completion_code; content:"230"; sid:20;) +alert ftp any any -> any any (msg: "Match on FTP completion-code #8"; flow:established; ftp.reply; content: "Directory send OK.";ftp.completion_code; content:"226"; sid:30;) +alert ftp any any -> any any (msg: "Match on FTP completion-code #9"; flow:established; ftp.reply; content: "Goodbye.";ftp.completion_code; content:"221"; sid:40;) +alert ftp any any -> any any (msg: "Match on FTP completion-code #10"; flow:established; ftp.reply; content: "Here comes the directory listing.";ftp.completion_code; content:"150"; sid:50;) +alert ftp any any -> any any (msg: "Match on FTP completion-code #11"; flow:established; ftp.reply; content: "Transfer complete.";ftp.completion_code; content:"226"; sid:60;) diff --git a/tests/detect-ftp/ftp-completion-code-01/test.yaml b/tests/detect-ftp/ftp-completion-code-01/test.yaml new file mode 100644 index 000000000..d89bec7f6 --- /dev/null +++ b/tests/detect-ftp/ftp-completion-code-01/test.yaml @@ -0,0 +1,134 @@ +pcap: ../../bug-3519/input.pcap + +requires: + min-version: 8 + +checks: + + - filter: + count: 1 + match: + event_type: alert + ftp.completion_code.__contains: '331' + ftp.reply.__contains: 'Please specify the password.' + alert.signature_id: 1 + + - filter: + count: 1 + match: + event_type: alert + ftp.completion_code.__contains: '230' + ftp.reply.__contains: 'Login successful.' + alert.signature_id: 2 + + - filter: + count: 1 + match: + event_type: alert + ftp.completion_code.__contains: '226' + ftp.reply.__contains: 'Directory send OK.' + alert.signature_id: 3 + + - filter: + count: 1 + match: + event_type: alert + ftp.completion_code.__contains: '221' + ftp.reply.__contains: 'Goodbye.' + alert.signature_id: 4 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: "RETR" + ftp.completion_code.__contains: '150' + ftp.reply.__contains: 'Opening BINARY mode data connection for temp.txt (1164 bytes).' + alert.signature_id: 5 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: "RETR" + ftp.completion_code.__contains: '226' + ftp.reply.__contains: 'Transfer complete.' + alert.signature_id: 5 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: "USER" + ftp.completion_code.__contains: '331' + ftp.reply.__contains: 'Please specify the password.' + alert.signature_id: 10 + + - filter: + count: 1 + match: + event_type: alert + ftp.completion_code.__contains: '230' + ftp.reply.__contains: 'Login successful.' + alert.signature_id: 20 + + - filter: + count: 1 + match: + event_type: alert + ftp.completion_code.__contains: '150' + ftp.reply.__contains: 'Here comes the directory listing.' + alert.signature_id: 30 + + - filter: + count: 1 + match: + event_type: alert + ftp.completion_code.__contains: '226' + ftp.reply.__contains: 'Directory send OK.' + alert.signature_id: 30 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: "QUIT" + ftp.completion_code.__contains: '221' + ftp.reply.__contains: 'Goodbye.' + alert.signature_id: 40 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: "NLST" + ftp.completion_code.__contains: '150' + ftp.reply.__contains: 'Here comes the directory listing.' + alert.signature_id: 50 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: "NLST" + ftp.completion_code.__contains: '226' + ftp.reply.__contains: 'Directory send OK.' + alert.signature_id: 50 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: "RETR" + ftp.completion_code.__contains: '150' + ftp.reply.__contains: 'Opening BINARY mode data connection for temp.txt (1164 bytes).' + alert.signature_id: 60 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: "RETR" + ftp.completion_code.__contains: '226' + ftp.reply.__contains: 'Transfer complete.' + alert.signature_id: 60