test/ftp: ftp.command_data keyword tests

Issue: 7503

Add tests that check for
- ftp.command and ftp.command_data
- ftp.command_data

diff --git a/tests/detect-ftp/ftp-command-data-01/input.rules b/tests/detect-ftp/ftp-command-data-01/input.rules
new file mode 100644 (file)
index 0000000..e283ac0
--- /dev/null
+++ b/tests/detect-ftp/ftp-command-data-01/input.rules
@@ -0,0 +1,4 @@
+alert ftp any any -> any any (msg: "Match on FTP command/command-data #1"; flow:to_server; ftp.command; content: "USER"; ftp.command_data; content:"anonymous"; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP command/command-data #2"; flow:to_server; ftp.command; content: "PASS"; ftp.command_data; content:"anonymous"; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP command-data #2"; flow:to_server; ftp.command_data; content:"temp.txt"; sid:3;)
+alert ftp any any -> any any (msg: "Match on FTP command-data #3"; flow:to_server; ftp.command_data; content:"192,168,0,13,234,10"; sid:4;)

diff --git a/tests/detect-ftp/ftp-command-data-01/test.yaml b/tests/detect-ftp/ftp-command-data-01/test.yaml
new file mode 100644 (file)
index 0000000..920ecf4
--- /dev/null
+++ b/tests/detect-ftp/ftp-command-data-01/test.yaml
@@ -0,0 +1,38 @@
+pcap: ../../bug-3519/input.pcap
+
+requires:
+  min-version: 8
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: USER
+        ftp.command_data: anonymous
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PASS
+        ftp.command_data: anonymous
+        alert.signature_id: 2
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: RETR
+        ftp.command_data: temp.txt
+        alert.signature_id: 3
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.command_data: 192,168,0,13,234,10
+        alert.signature_id: 4