From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Fri, 28 Mar 2025 13:29:09 +0000 (-0400)
Subject: detect/ftp: ftp.reply keyword tests
X-Git-Tag: suricata-7.0.11~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=799ea5e446a392249b91e898e1cac34bfc7e67de;p=thirdparty%2Fsuricata-verify.git

detect/ftp: ftp.reply keyword tests

Issue: 7508

Add tests for the ftp.reply keyword.
---

diff --git a/tests/detect-ftp/ftp-reply-01/input.rules b/tests/detect-ftp/ftp-reply-01/input.rules
new file mode 100644
index 000000000..65dc601b5
--- /dev/null
+++ b/tests/detect-ftp/ftp-reply-01/input.rules
@@ -0,0 +1,5 @@
+alert ftp any any -> any any (msg: "Match on FTP reply #1"; flow:to_client; ftp.reply; content:"Please specify the password."; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP reply #2"; flow:to_client; ftp.reply; content:"Opening BINARY mode data connection for temp.txt (1164 bytes)."; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP reply #3"; flow:to_client; ftp.reply; content:"Transfer complete."; sid:3;)
+alert ftp any any -> any any (msg: "Match on FTP reply #4"; flow:to_client; ftp.reply; content:"Goodbye."; sid:4;)
+alert ftp any any -> any any (msg: "Match on FTP reply #5"; flow:to_client; ftp.reply; content:"Directory send OK."; sid:5;)
diff --git a/tests/detect-ftp/ftp-reply-01/test.yaml b/tests/detect-ftp/ftp-reply-01/test.yaml
new file mode 100644
index 000000000..a23abc30a
--- /dev/null
+++ b/tests/detect-ftp/ftp-reply-01/test.yaml
@@ -0,0 +1,41 @@
+pcap: ../../bug-3519/input.pcap
+
+requires:
+  min-version: 8
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.reply: ['Please specify the password.']
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.reply.__contains: 'Opening BINARY mode data connection for temp.txt (1164 bytes).'
+        alert.signature_id: 2
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.reply.__contains: 'Transfer complete.'
+        alert.signature_id: 3
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.reply.__contains: 'Goodbye.'
+        alert.signature_id: 4
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.reply.__contains: 'Directory send OK.'
+        alert.signature_id: 5