app-layer-ftp: detect FTP alproto when using AUTH TLS

Try to detect FTP using the patterns '220 (' and 'FEAT', since 'USER '
and 'PASS ' are not sent in cleartext when using AUTH TLS.

diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c
index 681f7ab9c27caa9f881b1fcc3ac88af38a87d1d1..f21c73f72220a1d08343151ffae45737e0ac9a61 100644 (file)
--- a/src/app-layer-ftp.c
+++ b/src/app-layer-ftp.c
@@ -379,6 +379,16 @@ static int FTPGetAlstateProgress(void *tx, uint8_t direction)
 
 static int FTPRegisterPatternsForProtocolDetection(void)
 {
+    if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_FTP,
+                                              "220 (", 5, 0, STREAM_TOCLIENT) < 0)
+    {
+        return -1;
+    }
+    if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_FTP,
+                                               "FEAT", 4, 0, STREAM_TOSERVER) < 0)
+    {
+        return -1;
+    }
     if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_FTP,
                                                "USER ", 5, 0, STREAM_TOSERVER) < 0)
     {