From: Jeff Lucovsky Date: Wed, 16 Apr 2025 13:29:49 +0000 (-0400) Subject: tests/ftp: Add tests for ftp_reply_received keyword X-Git-Tag: suricata-7.0.11~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4db31c3102ba5ef3d164dc1dc152a56452848656;p=thirdparty%2Fsuricata-verify.git tests/ftp: Add tests for ftp_reply_received keyword Add tests for the FTP keyword ftp.reply_received that alert on both values for reply_received -- "yes" and "no". Also validate that only yes, no, on, off are accepted. Issue: 7506 --- diff --git a/tests/detect-ftp/ftp-reply-received-01/input.rules b/tests/detect-ftp/ftp-reply-received-01/input.rules new file mode 100644 index 000000000..4e05f023a --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-01/input.rules @@ -0,0 +1,2 @@ +alert ftp any any -> any any (msg: "Match on FTP reply received: yes"; flow:established; ftp.reply_received: yes; sid:1;) +alert ftp any any -> any any (msg: "Match on FTP reply received: yes"; flow:established; ftp.reply_received: on; sid:2;) diff --git a/tests/detect-ftp/ftp-reply-received-01/test.yaml b/tests/detect-ftp/ftp-reply-received-01/test.yaml new file mode 100644 index 000000000..999d8a54c --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-01/test.yaml @@ -0,0 +1,20 @@ +requires: + version: 8 + +pcap: ../../bug-3519/input.pcap + +checks: + + - filter: + count: 7 + match: + event_type: alert + ftp.reply_received: "yes" + alert.signature_id: 1 + + - filter: + count: 7 + match: + event_type: alert + ftp.reply_received: "yes" + alert.signature_id: 2 diff --git a/tests/detect-ftp/ftp-reply-received-02/input.rules b/tests/detect-ftp/ftp-reply-received-02/input.rules new file mode 100644 index 000000000..59beedaf7 --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-02/input.rules @@ -0,0 +1,2 @@ +alert ftp any any -> any any (msg: "Match on FTP reply-received NO"; ftp.reply_received: no; sid:1;) +alert ftp any any -> any any (msg: "Match on FTP reply-received NO"; ftp.reply_received: off; sid:2;) diff --git a/tests/detect-ftp/ftp-reply-received-02/test.yaml b/tests/detect-ftp/ftp-reply-received-02/test.yaml new file mode 100644 index 000000000..fac9dc4c7 --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-02/test.yaml @@ -0,0 +1,20 @@ +requires: + version: 8 + +pcap: ../../ftp/ftp-too-long-response/ftp-too-long-response.pcap + +checks: + + - filter: + count: 1 + match: + event_type: alert + ftp.reply_received: "no" + alert.signature_id: 1 + + - filter: + count: 1 + match: + event_type: alert + ftp.reply_received: "no" + alert.signature_id: 2 diff --git a/tests/detect-ftp/ftp-reply-received-03/input.rules b/tests/detect-ftp/ftp-reply-received-03/input.rules new file mode 100644 index 000000000..59bec2d89 --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-03/input.rules @@ -0,0 +1,3 @@ +alert ftp any any -> any any (msg: "Match on FTP reply received: yes"; flow:established; ftp.reply_received: yes yes; sid:1;) +alert ftp any any -> any any (msg: "Match on FTP reply received: yes"; flow:established; ftp.reply_received: no no; sid:2;) +alert ftp any any -> any any (msg: "Match on FTP reply received: yes"; flow:established; ftp.reply_received: suricata; sid:3;) diff --git a/tests/detect-ftp/ftp-reply-received-03/test.yaml b/tests/detect-ftp/ftp-reply-received-03/test.yaml new file mode 100644 index 000000000..56efdc15c --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-03/test.yaml @@ -0,0 +1,13 @@ +requires: + version: 8 + pcap: false + +exit-code: 1 + +args: + - --engine-analysis +checks: + + - shell: + args: grep "error parsing signature" suricata.log | wc -l | xargs + expect: 3