From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Wed, 1 Feb 2017 09:24:52 +0000 (+0100)
Subject: app-layer-ftp: detect FTP alproto when using AUTH TLS
X-Git-Tag: suricata-4.0.0-beta1~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8125f78f5f40a5969c681a55f84bf1ee09a9ea65;p=thirdparty%2Fsuricata.git

app-layer-ftp: detect FTP alproto when using AUTH TLS

Try to detect FTP using the patterns '220 (' and 'FEAT', since 'USER '
and 'PASS ' are not sent in cleartext when using AUTH TLS.
---

diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c
index 681f7ab9c2..f21c73f722 100644
--- a/src/app-layer-ftp.c
+++ b/src/app-layer-ftp.c
@@ -379,6 +379,16 @@ static int FTPGetAlstateProgress(void *tx, uint8_t direction)
 
 static int FTPRegisterPatternsForProtocolDetection(void)
 {
+    if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_FTP,
+                                              "220 (", 5, 0, STREAM_TOCLIENT) < 0)
+    {
+        return -1;
+    }
+    if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_FTP,
+                                               "FEAT", 4, 0, STREAM_TOSERVER) < 0)
+    {
+        return -1;
+    }
     if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_FTP,
                                                "USER ", 5, 0, STREAM_TOSERVER) < 0)
     {