From 4db31c3102ba5ef3d164dc1dc152a56452848656 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Wed, 16 Apr 2025 09:29:49 -0400 Subject: [PATCH] tests/ftp: Add tests for ftp_reply_received keyword Add tests for the FTP keyword ftp.reply_received that alert on both values for reply_received -- "yes" and "no". Also validate that only yes, no, on, off are accepted. Issue: 7506 --- .../ftp-reply-received-01/input.rules | 2 ++ .../ftp-reply-received-01/test.yaml | 20 +++++++++++++++++++ .../ftp-reply-received-02/input.rules | 2 ++ .../ftp-reply-received-02/test.yaml | 20 +++++++++++++++++++ .../ftp-reply-received-03/input.rules | 3 +++ .../ftp-reply-received-03/test.yaml | 13 ++++++++++++ 6 files changed, 60 insertions(+) create mode 100644 tests/detect-ftp/ftp-reply-received-01/input.rules create mode 100644 tests/detect-ftp/ftp-reply-received-01/test.yaml create mode 100644 tests/detect-ftp/ftp-reply-received-02/input.rules create mode 100644 tests/detect-ftp/ftp-reply-received-02/test.yaml create mode 100644 tests/detect-ftp/ftp-reply-received-03/input.rules create mode 100644 tests/detect-ftp/ftp-reply-received-03/test.yaml diff --git a/tests/detect-ftp/ftp-reply-received-01/input.rules b/tests/detect-ftp/ftp-reply-received-01/input.rules new file mode 100644 index 000000000..4e05f023a --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-01/input.rules @@ -0,0 +1,2 @@ +alert ftp any any -> any any (msg: "Match on FTP reply received: yes"; flow:established; ftp.reply_received: yes; sid:1;) +alert ftp any any -> any any (msg: "Match on FTP reply received: yes"; flow:established; ftp.reply_received: on; sid:2;) diff --git a/tests/detect-ftp/ftp-reply-received-01/test.yaml b/tests/detect-ftp/ftp-reply-received-01/test.yaml new file mode 100644 index 000000000..999d8a54c --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-01/test.yaml @@ -0,0 +1,20 @@ +requires: + version: 8 + +pcap: ../../bug-3519/input.pcap + +checks: + + - filter: + count: 7 + match: + event_type: alert + ftp.reply_received: "yes" + alert.signature_id: 1 + + - filter: + count: 7 + match: + event_type: alert + ftp.reply_received: "yes" + alert.signature_id: 2 diff --git a/tests/detect-ftp/ftp-reply-received-02/input.rules b/tests/detect-ftp/ftp-reply-received-02/input.rules new file mode 100644 index 000000000..59beedaf7 --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-02/input.rules @@ -0,0 +1,2 @@ +alert ftp any any -> any any (msg: "Match on FTP reply-received NO"; ftp.reply_received: no; sid:1;) +alert ftp any any -> any any (msg: "Match on FTP reply-received NO"; ftp.reply_received: off; sid:2;) diff --git a/tests/detect-ftp/ftp-reply-received-02/test.yaml b/tests/detect-ftp/ftp-reply-received-02/test.yaml new file mode 100644 index 000000000..fac9dc4c7 --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-02/test.yaml @@ -0,0 +1,20 @@ +requires: + version: 8 + +pcap: ../../ftp/ftp-too-long-response/ftp-too-long-response.pcap + +checks: + + - filter: + count: 1 + match: + event_type: alert + ftp.reply_received: "no" + alert.signature_id: 1 + + - filter: + count: 1 + match: + event_type: alert + ftp.reply_received: "no" + alert.signature_id: 2 diff --git a/tests/detect-ftp/ftp-reply-received-03/input.rules b/tests/detect-ftp/ftp-reply-received-03/input.rules new file mode 100644 index 000000000..59bec2d89 --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-03/input.rules @@ -0,0 +1,3 @@ +alert ftp any any -> any any (msg: "Match on FTP reply received: yes"; flow:established; ftp.reply_received: yes yes; sid:1;) +alert ftp any any -> any any (msg: "Match on FTP reply received: yes"; flow:established; ftp.reply_received: no no; sid:2;) +alert ftp any any -> any any (msg: "Match on FTP reply received: yes"; flow:established; ftp.reply_received: suricata; sid:3;) diff --git a/tests/detect-ftp/ftp-reply-received-03/test.yaml b/tests/detect-ftp/ftp-reply-received-03/test.yaml new file mode 100644 index 000000000..56efdc15c --- /dev/null +++ b/tests/detect-ftp/ftp-reply-received-03/test.yaml @@ -0,0 +1,13 @@ +requires: + version: 8 + pcap: false + +exit-code: 1 + +args: + - --engine-analysis +checks: + + - shell: + args: grep "error parsing signature" suricata.log | wc -l | xargs + expect: 3 -- 2.47.2