ftp: Add test for FTP bounce attack detection

Add test for false positive and true positive FTP bounce detection.

Bug: #6087

diff --git a/tests/ftp/ftp-bounce/Makefile b/tests/ftp/ftp-bounce/Makefile
new file mode 100644 (file)
index 0000000..32cfed7
--- /dev/null
+++ b/tests/ftp/ftp-bounce/Makefile
@@ -0,0 +1,4 @@
+FLOWSYNTH?=flowsynth.py
+
+test.pcap: test.syn
+       $(FLOWSYNTH) -f pcap -w $@ $^

diff --git a/tests/ftp/ftp-bounce/README.md b/tests/ftp/ftp-bounce/README.md
new file mode 100644 (file)
index 0000000..833c2fe
--- /dev/null
+++ b/tests/ftp/ftp-bounce/README.md
@@ -0,0 +1,8 @@
+# Test Purpose
+
+Test that an FTP bounce is not detected for a valid FTP PORT command but is
+detected for an invalid FTP PORT command.
+
+## PCAP
+
+This PCAP was generated with flowsynth.

diff --git a/tests/ftp/ftp-bounce/test.pcap b/tests/ftp/ftp-bounce/test.pcap
new file mode 100644 (file)
index 0000000..a9821b0
Binary files /dev/null and b/tests/ftp/ftp-bounce/test.pcap differ

diff --git a/tests/ftp/ftp-bounce/test.rules b/tests/ftp/ftp-bounce/test.rules
new file mode 100644 (file)
index 0000000..b08879b
--- /dev/null
+++ b/tests/ftp/ftp-bounce/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"FTP bounce attack"; ftpbounce; sid:1;)
\ No newline at end of file

diff --git a/tests/ftp/ftp-bounce/test.syn b/tests/ftp/ftp-bounce/test.syn
new file mode 100644 (file)
index 0000000..a275aad
--- /dev/null
+++ b/tests/ftp/ftp-bounce/test.syn
@@ -0,0 +1,19 @@
+# This is a valid FTP control transaction for active session
+flow valid tcp 1.1.1.2:33112 > 2.2.2.1:21 (tcp.initialize; mss:9000;);
+valid < (content:"220 Operation successful\x0d\x0a";);
+valid > (content:"USER anonymous\x0d\x0a";);
+valid < (content:"230 Operation successful\x0d\x0a";);
+valid > (content:"PORT 1,1,1,2,232,157\x0d\x0a";);
+valid < (content:"200 Operation successful\x0d\x0a";);
+valid > (content:"QUIT\x0d\x0a";);
+valid < (content:"221 Operation successful\x0d\x0a";);
+
+# This is a FTP control transaction attempting a bounce attack
+flow attack tcp 1.1.1.2:58316 > 2.2.2.1:21 (tcp.initialize;);
+attack < (content:"220 Operation successful\x0d\x0a";);
+attack > (content:"USER anonymous\x0d\x0a";);
+attack < (content:"230 Operation successful\x0d\x0a";);
+attack > (content:"PORT 2,2,2,3,0,80\x0d\x0a";);
+attack < (content:"200 Operation successful\x0d\x0a";);
+attack > (content:"QUIT\x0d\x0a";);
+attack < (content:"221 Operation successful\x0d\x0a";);

diff --git a/tests/ftp/ftp-bounce/test.yaml b/tests/ftp/ftp-bounce/test.yaml
new file mode 100644 (file)
index 0000000..7c242b6
--- /dev/null
+++ b/tests/ftp/ftp-bounce/test.yaml
@@ -0,0 +1,38 @@
+checks:
+  # Match on the valid FTP connection, discern by user port 33112
+  - filter:
+      count: 1
+      match:
+        src_port: 33112
+        event_type: ftp
+        ftp.mode: active
+        ftp.command: PORT
+        ftp.dynamic_port: 59549
+        ftp.reply_received: 'yes'
+  # First FTP connect is all valid, no alerts should be generated
+  - filter:
+      count: 0
+      match:
+        src_port: 33112
+        event_type: alert
+        alert.signature_id: 1
+        app_proto: ftp
+
+  # Match on the FTP bounce connection, discern by user port 58316
+  - filter:
+      count: 1
+      match:
+        src_port: 58316
+        event_type: ftp
+        ftp.mode: active
+        ftp.command: PORT
+        ftp.dynamic_port: 80
+        ftp.reply_received: 'yes'
+  # Catch the attack
+  - filter:
+      count: 1
+      match:
+        src_port: 58316
+        event_type: alert
+        alert.signature_id: 1
+        app_proto: ftp