tests/ftpdata: add detection

author Victor Julien <victor@inliniac.net>

Tue, 12 Jan 2021 21:03:13 +0000 (22:03 +0100)

committer Jason Ish <jason.ish@oisf.net>

Fri, 30 Apr 2021 18:08:31 +0000 (12:08 -0600)
author Victor Julien <victor@inliniac.net>
Tue, 12 Jan 2021 21:03:13 +0000 (22:03 +0100)
committer Jason Ish <jason.ish@oisf.net>
Fri, 30 Apr 2021 18:08:31 +0000 (12:08 -0600)
diff --git a/tests/output-eve-ftp-data/test.rules b/tests/output-eve-ftp-data/test.rules

new file mode 100644 (file)

index 0000000..d3cbcfd
--- /dev/null
+++ b/tests/output-eve-ftp-data/test.rules
@@ -0,0 +1,4 @@
+alert ftp-data any any -> any any (file.name; content:"temp.txt"; sid:1;)
+alert ftp-data any any -> any any (filename:"temp.txt"; sid:2;)
+alert ftp-data any any -> any any (fileext:"txt"; sid:3;)
+#alert ftp-data any any -> any any (file_data; content:"temp.txt"; sid:4;)
diff --git a/tests/output-eve-ftp-data/test.yaml b/tests/output-eve-ftp-data/test.yaml

index 8323e0d405b22a352b07ceba1b26601862bfdcb2..7fb3aaaafa7f0e77e13088e8873c16b2512fc815 100644 (file)
--- a/tests/output-eve-ftp-data/test.yaml
+++ b/tests/output-eve-ftp-data/test.yaml
@@ -10,6 +10,21 @@ checks:
        match:
          event_type: ftp_data
  
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
    - filter:
        count: 1
        match:
author	Victor Julien <victor@inliniac.net>
	Tue, 12 Jan 2021 21:03:13 +0000 (22:03 +0100)
committer	Jason Ish <jason.ish@oisf.net>
	Fri, 30 Apr 2021 18:08:31 +0000 (12:08 -0600)
tests/output-eve-ftp-data/test.rules	[new file with mode: 0644]	patch \| blob
tests/output-eve-ftp-data/test.yaml		patch \| blob \| blame \| history