From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sat, 29 Mar 2025 12:09:38 +0000 (-0400)
Subject: test/ftp: ftp.command_data keyword tests
X-Git-Tag: suricata-7.0.11~114
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=441e1ca3fc736ac95db60e4c42e140e66ba7f492;p=thirdparty%2Fsuricata-verify.git

test/ftp: ftp.command_data keyword tests

Issue: 7503

Add tests that check for
- ftp.command and ftp.command_data
- ftp.command_data
---

diff --git a/tests/detect-ftp/ftp-command-data-01/input.rules b/tests/detect-ftp/ftp-command-data-01/input.rules
new file mode 100644
index 000000000..e283ac02a
--- /dev/null
+++ b/tests/detect-ftp/ftp-command-data-01/input.rules
@@ -0,0 +1,4 @@
+alert ftp any any -> any any (msg: "Match on FTP command/command-data #1"; flow:to_server; ftp.command; content: "USER"; ftp.command_data; content:"anonymous"; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP command/command-data #2"; flow:to_server; ftp.command; content: "PASS"; ftp.command_data; content:"anonymous"; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP command-data #2"; flow:to_server; ftp.command_data; content:"temp.txt"; sid:3;)
+alert ftp any any -> any any (msg: "Match on FTP command-data #3"; flow:to_server; ftp.command_data; content:"192,168,0,13,234,10"; sid:4;)
diff --git a/tests/detect-ftp/ftp-command-data-01/test.yaml b/tests/detect-ftp/ftp-command-data-01/test.yaml
new file mode 100644
index 000000000..920ecf4c8
--- /dev/null
+++ b/tests/detect-ftp/ftp-command-data-01/test.yaml
@@ -0,0 +1,38 @@
+pcap: ../../bug-3519/input.pcap
+
+requires:
+  min-version: 8
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: USER
+        ftp.command_data: anonymous
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PASS
+        ftp.command_data: anonymous
+        alert.signature_id: 2
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: RETR
+        ftp.command_data: temp.txt
+        alert.signature_id: 3
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.command_data: 192,168,0,13,234,10
+        alert.signature_id: 4