]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9120b3e)
tests/ftp: add checks for too long alerts
authorJason Ish <jason.ish@oisf.net>
Fri, 20 Jan 2023 22:26:04 +0000 (16:26 -0600)
committerJason Ish <jason.ish@oisf.net>
Tue, 31 Jan 2023 21:33:17 +0000 (15:33 -0600)
Related issue: 5235

tests/ftp/ftp-too-long-command/ftp-events.rules [new file with mode: 0644] patch | blob
tests/ftp/ftp-too-long-command/test.yaml patch | blob | blame | history
tests/ftp/ftp-too-long-response/ftp-events.rules [new file with mode: 0644] patch | blob
tests/ftp/ftp-too-long-response/test.yaml patch | blob | blame | history

diff --git a/tests/ftp/ftp-too-long-command/ftp-events.rules b/tests/ftp/ftp-too-long-command/ftp-events.rules
new file mode 100644 (file)
index 0000000..d32c93f
--- /dev/null
+++ b/tests/ftp/ftp-too-long-command/ftp-events.rules
@@ -0,0 +1,6 @@
+# FTP app-layer event rules
+#
+# SID range start: 2232000
+
+alert ftp any any -> any any (msg:"SURICATA FTP Request command too long"; flow:to_server; app-layer-event:ftp.request_command_too_long; classtype:protocol-command-decode; sid:2232000; rev:1;)
+alert ftp any any -> any any (msg:"SURICATA FTP Response command too long"; flow:to_client; app-layer-event:ftp.response_command_too_long; classtype:protocol-command-decode; sid:2232001; rev:1;)
diff --git a/tests/ftp/ftp-too-long-command/test.yaml b/tests/ftp/ftp-too-long-command/test.yaml
index 9d3b54bb65f47d6a45e5f69e4435eeb7731c631d..f59c0cd42db754609e1808931f66b329bb910325 100644 (file)
--- a/tests/ftp/ftp-too-long-command/test.yaml
+++ b/tests/ftp/ftp-too-long-command/test.yaml
@@ -18,3 +18,19 @@ checks:
         ftp.command_data: index.html
         ftp.command_truncated: false
         ftp.reply_truncated: false
+
+  # Look for anomaly event.
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.event: request_command_too_long
+
+  # Look for app-layer alert.
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2232000
diff --git a/tests/ftp/ftp-too-long-response/ftp-events.rules b/tests/ftp/ftp-too-long-response/ftp-events.rules
new file mode 100644 (file)
index 0000000..d32c93f
--- /dev/null
+++ b/tests/ftp/ftp-too-long-response/ftp-events.rules
@@ -0,0 +1,6 @@
+# FTP app-layer event rules
+#
+# SID range start: 2232000
+
+alert ftp any any -> any any (msg:"SURICATA FTP Request command too long"; flow:to_server; app-layer-event:ftp.request_command_too_long; classtype:protocol-command-decode; sid:2232000; rev:1;)
+alert ftp any any -> any any (msg:"SURICATA FTP Response command too long"; flow:to_client; app-layer-event:ftp.response_command_too_long; classtype:protocol-command-decode; sid:2232001; rev:1;)
diff --git a/tests/ftp/ftp-too-long-response/test.yaml b/tests/ftp/ftp-too-long-response/test.yaml
index 0ebef820e4e66dbbb38a3f7c9dd780bdf9fefdbe..8df38a9be49ab6a58c665e256cb625b20fc8b812 100644 (file)
--- a/tests/ftp/ftp-too-long-response/test.yaml
+++ b/tests/ftp/ftp-too-long-response/test.yaml
@@ -13,3 +13,20 @@ checks:
         event_type: ftp
         ftp.command: PASV
         ftp.reply_truncated: true
+
+  # Look for anomaly event.
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.event: response_command_too_long
+
+  # Look for app-layer alert.
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2232001
+        
Mirror of https://github.com/OISF/suricata-verify.git