From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sun, 21 Jul 2019 16:33:32 +0000 (-0400)
Subject: tests: add test cases for FTP logging
X-Git-Tag: suricata-6.0.4~409
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F106%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: add test cases for FTP logging
---

diff --git a/tests/output-eve-ftp/input.pcap b/tests/output-eve-ftp/input.pcap
new file mode 100644
index 000000000..50815c553
Binary files /dev/null and b/tests/output-eve-ftp/input.pcap differ
diff --git a/tests/output-eve-ftp/test.yaml b/tests/output-eve-ftp/test.yaml
new file mode 100644
index 000000000..edcc6304b
--- /dev/null
+++ b/tests/output-eve-ftp/test.yaml
@@ -0,0 +1,68 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+  files:
+    - src/output-json-ftp.c
+
+checks:
+  - filter:
+      count: 8
+      match:
+        event_type: ftp
+
+  - filter:
+      count: 1
+      match:
+        event_type: ftp
+        ftp.command: USER
+
+  - filter:
+      count: 1
+      match:
+        event_type: ftp
+        ftp.command: PASS
+
+  - filter:
+      count: 1
+      match:
+        event_type: ftp
+        ftp.command: NLST
+
+  - filter:
+      count: 2
+      match:
+        event_type: ftp
+        ftp.command: PORT
+
+  - filter:
+      count: 1
+      match:
+        event_type: ftp
+        ftp.command: RETR
+
+  - filter:
+      count: 1
+      match:
+        event_type: ftp
+        ftp.command: QUIT
+
+  - filter:
+      count: 1
+      match:
+        event_type: ftp
+        ftp.command: PASS
+        ftp.command_data: anonymous
+        ftp.reply: ['Login successful.']
+        ftp.completion_code: ['230']
+
+  - filter:
+      count: 1
+      match:
+        event_type: ftp
+        ftp.command: NLST
+        ftp.reply: [
+          "Here comes the directory listing.\r\n",
+          "Directory send OK.",
+          "PORT command successful. Consider using PASV."]
+        ftp.dynamic_port: 59926