From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Wed, 1 Feb 2017 11:56:39 +0000 (+0100)
Subject: app-layer-ftp: add STARTTLS support
X-Git-Tag: suricata-4.0.0-beta1~96
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=11b9e6fdab8a273d262d4cf68f5b85528feb20d9;p=thirdparty%2Fsuricata.git

app-layer-ftp: add STARTTLS support
---

diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c
index f21c73f722..080e4ea8f3 100644
--- a/src/app-layer-ftp.c
+++ b/src/app-layer-ftp.c
@@ -186,16 +186,14 @@ static int FTPParseRequestCommand(void *ftp_state, uint8_t *input,
     FtpState *fstate = (FtpState *)ftp_state;
     fstate->command = FTP_COMMAND_UNKNOWN;
 
-    if (input_len >= 4) {
-        if (SCMemcmpLowercase("port", input, 4) == 0) {
-            fstate->command = FTP_COMMAND_PORT;
-        }
+    if (input_len >= 4 && SCMemcmpLowercase("port", input, 4) == 0) {
+        fstate->command = FTP_COMMAND_PORT;
+    }
 
-        /* else {
-         *     Add the ftp commands you need here
-         * }
-         */
+    if (input_len >= 8 && SCMemcmpLowercase("auth tls", input, 8) == 0) {
+        fstate->command = FTP_COMMAND_AUTH_TLS;
     }
+
     return 1;
 }
 
@@ -268,6 +266,14 @@ static int FTPParseResponse(Flow *f, void *ftp_state, AppLayerParserState *pstat
                             uint8_t *input, uint32_t input_len,
                             void *local_data)
 {
+    FtpState *state = (FtpState *)ftp_state;
+
+    if (state->command == FTP_COMMAND_AUTH_TLS) {
+        if (input_len >= 4 && SCMemcmp("234 ", input, 4) == 0) {
+            FlowSetChangeProtoFlag(f);
+        }
+    }
+
     return 1;
 }
 
diff --git a/src/app-layer-ftp.h b/src/app-layer-ftp.h
index de93f5f773..a789c1ce34 100644
--- a/src/app-layer-ftp.h
+++ b/src/app-layer-ftp.h
@@ -36,6 +36,7 @@ typedef enum {
     FTP_COMMAND_ACCT,
     FTP_COMMAND_ALLO,
     FTP_COMMAND_APPE,
+    FTP_COMMAND_AUTH_TLS,
     FTP_COMMAND_CDUP,
     FTP_COMMAND_CHMOD,
     FTP_COMMAND_CWD,