Issue: 7508
Add tests for the ftp.reply keyword.
--- /dev/null
+alert ftp any any -> any any (msg: "Match on FTP reply #1"; flow:to_client; ftp.reply; content:"Please specify the password."; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP reply #2"; flow:to_client; ftp.reply; content:"Opening BINARY mode data connection for temp.txt (1164 bytes)."; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP reply #3"; flow:to_client; ftp.reply; content:"Transfer complete."; sid:3;)
+alert ftp any any -> any any (msg: "Match on FTP reply #4"; flow:to_client; ftp.reply; content:"Goodbye."; sid:4;)
+alert ftp any any -> any any (msg: "Match on FTP reply #5"; flow:to_client; ftp.reply; content:"Directory send OK."; sid:5;)
--- /dev/null
+pcap: ../../bug-3519/input.pcap
+
+requires:
+ min-version: 8
+
+checks:
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ ftp.reply: ['Please specify the password.']
+ alert.signature_id: 1
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ ftp.reply.__contains: 'Opening BINARY mode data connection for temp.txt (1164 bytes).'
+ alert.signature_id: 2
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ ftp.reply.__contains: 'Transfer complete.'
+ alert.signature_id: 3
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ ftp.reply.__contains: 'Goodbye.'
+ alert.signature_id: 4
+
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ ftp.reply.__contains: 'Directory send OK.'
+ alert.signature_id: 5
projects / thirdparty / suricata-verify.git / commitdiff
