From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sun, 20 Apr 2025 19:32:58 +0000 (-0400)
Subject: detect/ftp: Tests for ftp.dynamic_port
X-Git-Tag: suricata-7.0.11~81
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2465%2Fhead;p=thirdparty%2Fsuricata-verify.git

detect/ftp: Tests for ftp.dynamic_port

Add tests for FTP's dynamic_port -- active and passive.

The ftp-active-dynamic_port-01 test case includes tests for the
comparison operands -- since the implementation uses the U16 matching
and parsing logic, only one test case has the additional test cases.
---

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-01/input.rules b/tests/detect-ftp/ftp-active-dynamic_port-01/input.rules
new file mode 100644
index 000000000..c322d5ed2
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-01/input.rules
@@ -0,0 +1,7 @@
+alert ftp any any -> any any (msg: "Match on FTP active port #1"; flow:to_server; ftp.dynamic_port: 59914; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP active port #2: equality"; flow:to_server; ftp.dynamic_port: =59926; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP active port #3: >="; flow:to_server; ftp.dynamic_port: >=59926; sid:3;)
+alert ftp any any -> any any (msg: "Match on FTP active port #4: <="; flow:to_server; ftp.dynamic_port: <=59926; sid:4;)
+alert ftp any any -> any any (msg: "Match on FTP active port #5: <"; flow:to_server; ftp.dynamic_port: <59927; sid:5;)
+alert ftp any any -> any any (msg: "Match on FTP active port #6: >"; flow:to_server; ftp.dynamic_port: >59925; sid:6;)
+alert ftp any any -> any any (msg: "Match on FTP active port #7: range"; flow:to_server; ftp.dynamic_port: 59925-59927; sid:7;)
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml b/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml
new file mode 100644
index 000000000..435d03d59
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml
@@ -0,0 +1,63 @@
+pcap: ../../bug-3519/input.pcap
+
+requires:
+  version: 8
+
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59914
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 2
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 3
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 4
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 5
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 6
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 7
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/Makefile b/tests/detect-ftp/ftp-active-dynamic_port-02/Makefile
new file mode 100644
index 000000000..054932ac4
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/Makefile
@@ -0,0 +1,2 @@
+ftp-active-dynamic_port.pcap: ftp-active-dynamic_port.syn
+	flowsynth.py -f pcap -w $@ $^
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/README.md b/tests/detect-ftp/ftp-active-dynamic_port-02/README.md
new file mode 100644
index 000000000..35b1cea36
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/README.md
@@ -0,0 +1,3 @@
+pcap made with flowsynth
+
+https://github.com/secureworks/flowsynth
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.pcap b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.pcap
new file mode 100644
index 000000000..7558fd806
Binary files /dev/null and b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.pcap differ
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.syn b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.syn
new file mode 100644
index 000000000..b67be599f
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.syn
@@ -0,0 +1,10 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:21 (tcp.initialize; mss: 9000;);
+default < (content:"220 (Ftp Server)\x0d\x0a";);
+default > (content:"USER user\x0d\x0a";);
+default < (content:"331 Please specify the password.\x0d\x0a";);
+default > (content:"PASS password\x0d\x0a";);
+default < (content:"230 Login successful.\x0d\x0a";);
+default > (content:"EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|34325|\x0d\x0a";);
+default < (content:"200 EPRT command successful. Consider using EPSV\x0d\x0a";);
+default < (content:"QUIT\x0d\x0a";);
+default < (content:"221 Goodbye.\x0d\x0a";);
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/input.rules b/tests/detect-ftp/ftp-active-dynamic_port-02/input.rules
new file mode 100644
index 000000000..ba85abcfc
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP active port #1"; ftp.dynamic_port: 34325; sid:1;)
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml b/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml
new file mode 100644
index 000000000..a3fe08054
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml
@@ -0,0 +1,16 @@
+pcap: ftp-active-dynamic_port.pcap
+
+requires:
+  version: 8
+
+args:
+- -k none
+checks:
+
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        ftp.command: EPRT
+        ftp.dynamic_port: 34325
+        alert.signature_id: 1
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-01/input.rules b/tests/detect-ftp/ftp-passive-dynamic_port-01/input.rules
new file mode 100644
index 000000000..17e57972b
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-01/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP EPSV port"; flow:to_server; ftp.dynamic_port: 58612; sid:1;)
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml b/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml
new file mode 100644
index 000000000..e6d25b2f5
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../../ftp-epsv/input.pcap
+
+requires:
+  version: 8
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: EPSV
+        ftp.dynamic_port: 58612
+        alert.signature_id: 1
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/Makefile b/tests/detect-ftp/ftp-passive-dynamic_port-02/Makefile
new file mode 100644
index 000000000..bb99b73f5
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/Makefile
@@ -0,0 +1,3 @@
+ftp-passive-dynamic_port.pcap: ftp-passive-dynamic_port.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.pcap b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.pcap
new file mode 100644
index 000000000..a0a0db523
Binary files /dev/null and b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.pcap differ
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.syn b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.syn
new file mode 100644
index 000000000..43e05218c
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.syn
@@ -0,0 +1,14 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:21 (tcp.initialize; mss: 9000;);
+default < (content:"220 (Ftp Server)\x0d\x0a";);
+default > (content:"USER user\x0d\x0a";);
+default < (content:"331 Please specify the password.\x0d\x0a";);
+default > (content:"PASS password\x0d\x0a";);
+default < (content:"230 Login successful.\x0d\x0a";);
+default > (content:"SYST\x0d\x0a";);
+default < (content:"215 UNIX Type: L8\x0d\x0a";);
+default > (content:"TYPE I\x0d\x0a";);
+default < (content:"200 Switching to Binary mode.\x0d\x0a";);
+default > (content:"PASV\x0d\x0a";);
+default < (content:"227 Entering Passive Mode (2,2,2,2,185,13).\x0d\x0a";);
+default > (content:"RETR index.html\x0d\x0a";);
+default < (content:"550 Failed to open file.\x0d\x0a";);
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/input.rules b/tests/detect-ftp/ftp-passive-dynamic_port-02/input.rules
new file mode 100644
index 000000000..0d2449330
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP EPSV port"; flow:to_server; ftp.dynamic_port: 47373; sid:1;)
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml b/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml
new file mode 100644
index 000000000..85ccf5924
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml
@@ -0,0 +1,14 @@
+pcap: ftp-passive-dynamic_port.pcap
+
+requires:
+  version: 8
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PASV
+        ftp.dynamic_port: 47373
+        alert.signature_id: 1