]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 99e95cf)
ftp: test where first segment of command should be truncated
authorJason Ish <jason.ish@oisf.net>
Fri, 22 Apr 2022 20:04:52 +0000 (14:04 -0600)
committerJason Ish <jason.ish@oisf.net>
Fri, 6 May 2022 15:11:26 +0000 (09:11 -0600)
tests/ftp/ftp-too-long-command-first/Makefile [new file with mode: 0644] patch | blob
tests/ftp/ftp-too-long-command-first/README.md [new file with mode: 0644] patch | blob
tests/ftp/ftp-too-long-command-first/ftp-too-long-command.pcap [new file with mode: 0644] patch | blob
tests/ftp/ftp-too-long-command-first/ftp-too-long-command.syn [new file with mode: 0644] patch | blob
tests/ftp/ftp-too-long-command-first/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/ftp/ftp-too-long-command-first/Makefile b/tests/ftp/ftp-too-long-command-first/Makefile
new file mode 100644 (file)
index 0000000..aa95225
--- /dev/null
+++ b/tests/ftp/ftp-too-long-command-first/Makefile
@@ -0,0 +1,3 @@
+ftp-too-long-command.pcap: ftp-too-long-command.syn
+       flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/ftp/ftp-too-long-command-first/README.md b/tests/ftp/ftp-too-long-command-first/README.md
new file mode 100644 (file)
index 0000000..c4e2895
--- /dev/null
+++ b/tests/ftp/ftp-too-long-command-first/README.md
@@ -0,0 +1,8 @@
+# Test Purpose
+
+Test that a first segment of an FTP command that is over the limited, but not
+new line terminated gets truncated.
+
+## PCAP
+
+PCAP generated with flowsynth.
diff --git a/tests/ftp/ftp-too-long-command-first/ftp-too-long-command.pcap b/tests/ftp/ftp-too-long-command-first/ftp-too-long-command.pcap
new file mode 100644 (file)
index 0000000..3a585a1
Binary files /dev/null and b/tests/ftp/ftp-too-long-command-first/ftp-too-long-command.pcap differ
diff --git a/tests/ftp/ftp-too-long-command-first/ftp-too-long-command.syn b/tests/ftp/ftp-too-long-command-first/ftp-too-long-command.syn
new file mode 100644 (file)
index 0000000..f2c720e
--- /dev/null
+++ b/tests/ftp/ftp-too-long-command-first/ftp-too-long-command.syn
@@ -0,0 +1,17 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:21 (tcp.initialize; mss: 9000;);
+default < (content:"220 (Ftp Server)\x0d\x0a";);
+default > (content:"USER user\x0d\x0a";);
+default < (content:"331 Please specify the password.\x0d\x0a";);
+default > (content:"PASS password\x0d\x0a";);
+default < (content:"230 Login successful.\x0d\x0a";);
+default > (content:"SYST\x0d\x0a";);
+default < (content:"215 UNIX Type: L8\x0d\x0a";);
+default > (content:"TYPE I\x0d\x0a";);
+default < (content:"200 Switching to Binary mode.\x0d\x0a";);
+default > (content:"PASV\x0d\x0a";);
+default < (content:"227 Entering Passive Mode (2,2,2,2,185,13).\x0d\x0a";);
+default > (content:"RETR AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";);
+default > (content:"Z\x0d\x0a";);
+default < (content:"550 Failed to open file.\x0d\x0a";);
+default > (content:"RETR index.html\x0d\x0a";);
+default < (content:"550 Failed to open file.\x0d\x0a";);
diff --git a/tests/ftp/ftp-too-long-command-first/test.yaml b/tests/ftp/ftp-too-long-command-first/test.yaml
new file mode 100644 (file)
index 0000000..24318a3
--- /dev/null
+++ b/tests/ftp/ftp-too-long-command-first/test.yaml
@@ -0,0 +1,20 @@
+checks:
+  # Look for the truncated command.
+  - filter:
+      count: 1
+      match:
+        event_type: ftp
+        ftp.command: RETR
+        ftp.command_data.__len: 4091
+        ftp.command_truncated: true
+        ftp.reply_truncated: false
+
+  # Now look for the command after the truncated command.
+  - filter:
+      count: 1
+      match:
+        event_type: ftp
+        ftp.command: RETR
+        ftp.command_data: index.html
+        ftp.command_truncated: false
+        ftp.reply_truncated: false
Mirror of https://github.com/OISF/suricata-verify.git