test/ftp: Tests for ftp.mode keyword

author Jeff Lucovsky <jlucovsky@oisf.net>

Sat, 26 Apr 2025 12:16:34 +0000 (08:16 -0400)

committer Victor Julien <victor@inliniac.net>

Wed, 14 May 2025 05:35:28 +0000 (07:35 +0200)
author Jeff Lucovsky <jlucovsky@oisf.net>
Sat, 26 Apr 2025 12:16:34 +0000 (08:16 -0400)
committer Victor Julien <victor@inliniac.net>
Wed, 14 May 2025 05:35:28 +0000 (07:35 +0200)
diff --git a/tests/detect-ftp/ftp-mode-01/input.rules b/tests/detect-ftp/ftp-mode-01/input.rules

new file mode 100644 (file)

index 0000000..fda30b3
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-01/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: active; sid:1;)
diff --git a/tests/detect-ftp/ftp-mode-01/test.yaml b/tests/detect-ftp/ftp-mode-01/test.yaml

new file mode 100644 (file)

index 0000000..191fb74
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-01/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  version: 8
+
+pcap: ../../bug-3519/input.pcap
+
+checks:
+
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.mode: active
+        alert.signature_id: 1
diff --git a/tests/detect-ftp/ftp-mode-02/input.pcap b/tests/detect-ftp/ftp-mode-02/input.pcap

new file mode 100644 (file)

index 0000000..811c225

Binary files /dev/null and b/tests/detect-ftp/ftp-mode-02/input.pcap differ
diff --git a/tests/detect-ftp/ftp-mode-02/input.rules b/tests/detect-ftp/ftp-mode-02/input.rules

new file mode 100644 (file)

index 0000000..fd600be
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-02/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP passive mode #1"; flow:established; ftp.mode:passive; sid:1;)
diff --git a/tests/detect-ftp/ftp-mode-02/test.yaml b/tests/detect-ftp/ftp-mode-02/test.yaml

new file mode 100644 (file)

index 0000000..0583a79
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-02/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  version: 8
+
+pcap: ../../ftp-epsv/input.pcap
+
+args:
+ -  -k none
+
+checks:
+
+  - filter:
+      count: 8
+      match:
+        event_type: alert
+        ftp.mode: passive
+        alert.signature_id: 1
diff --git a/tests/detect-ftp/ftp-mode-03/input.rules b/tests/detect-ftp/ftp-mode-03/input.rules

new file mode 100644 (file)

index 0000000..b2b654f
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-03/input.rules
@@ -0,0 +1,3 @@
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: suricata; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: xpassive; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: xactive; sid:3;)
diff --git a/tests/detect-ftp/ftp-mode-03/test.yaml b/tests/detect-ftp/ftp-mode-03/test.yaml

new file mode 100644 (file)

index 0000000..af5086d
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-03/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  version: 8
+  pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+
+  - shell:
+      args: grep "error parsing signature" suricata.log | wc -l | xargs
+      expect: 3
author	Jeff Lucovsky <jlucovsky@oisf.net>
	Sat, 26 Apr 2025 12:16:34 +0000 (08:16 -0400)
committer	Victor Julien <victor@inliniac.net>
	Wed, 14 May 2025 05:35:28 +0000 (07:35 +0200)
tests/detect-ftp/ftp-mode-01/input.rules	[new file with mode: 0644]	patch \| blob
tests/detect-ftp/ftp-mode-01/test.yaml	[new file with mode: 0644]	patch \| blob
tests/detect-ftp/ftp-mode-02/input.pcap	[new file with mode: 0644]	patch \| blob
tests/detect-ftp/ftp-mode-02/input.rules	[new file with mode: 0644]	patch \| blob
tests/detect-ftp/ftp-mode-02/test.yaml	[new file with mode: 0644]	patch \| blob
tests/detect-ftp/ftp-mode-03/input.rules	[new file with mode: 0644]	patch \| blob
tests/detect-ftp/ftp-mode-03/test.yaml	[new file with mode: 0644]	patch \| blob