From: Jason Ish <jason.ish@oisf.net>
Date: Fri, 20 Jan 2023 22:26:04 +0000 (-0600)
Subject: tests/ftp: add checks for too long alerts
X-Git-Tag: suricata-6.0.10~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88b43901352154bc3218800d230729fe4242f87a;p=thirdparty%2Fsuricata-verify.git

tests/ftp: add checks for too long alerts

Related issue: 5235
---

diff --git a/tests/ftp/ftp-too-long-command/ftp-events.rules b/tests/ftp/ftp-too-long-command/ftp-events.rules
new file mode 100644
index 000000000..d32c93f32
--- /dev/null
+++ b/tests/ftp/ftp-too-long-command/ftp-events.rules
@@ -0,0 +1,6 @@
+# FTP app-layer event rules
+#
+# SID range start: 2232000
+
+alert ftp any any -> any any (msg:"SURICATA FTP Request command too long"; flow:to_server; app-layer-event:ftp.request_command_too_long; classtype:protocol-command-decode; sid:2232000; rev:1;)
+alert ftp any any -> any any (msg:"SURICATA FTP Response command too long"; flow:to_client; app-layer-event:ftp.response_command_too_long; classtype:protocol-command-decode; sid:2232001; rev:1;)
diff --git a/tests/ftp/ftp-too-long-command/test.yaml b/tests/ftp/ftp-too-long-command/test.yaml
index 9d3b54bb6..f59c0cd42 100644
--- a/tests/ftp/ftp-too-long-command/test.yaml
+++ b/tests/ftp/ftp-too-long-command/test.yaml
@@ -18,3 +18,19 @@ checks:
         ftp.command_data: index.html
         ftp.command_truncated: false
         ftp.reply_truncated: false
+
+  # Look for anomaly event.
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.event: request_command_too_long
+
+  # Look for app-layer alert.
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2232000
diff --git a/tests/ftp/ftp-too-long-response/ftp-events.rules b/tests/ftp/ftp-too-long-response/ftp-events.rules
new file mode 100644
index 000000000..d32c93f32
--- /dev/null
+++ b/tests/ftp/ftp-too-long-response/ftp-events.rules
@@ -0,0 +1,6 @@
+# FTP app-layer event rules
+#
+# SID range start: 2232000
+
+alert ftp any any -> any any (msg:"SURICATA FTP Request command too long"; flow:to_server; app-layer-event:ftp.request_command_too_long; classtype:protocol-command-decode; sid:2232000; rev:1;)
+alert ftp any any -> any any (msg:"SURICATA FTP Response command too long"; flow:to_client; app-layer-event:ftp.response_command_too_long; classtype:protocol-command-decode; sid:2232001; rev:1;)
diff --git a/tests/ftp/ftp-too-long-response/test.yaml b/tests/ftp/ftp-too-long-response/test.yaml
index 0ebef820e..8df38a9be 100644
--- a/tests/ftp/ftp-too-long-response/test.yaml
+++ b/tests/ftp/ftp-too-long-response/test.yaml
@@ -13,3 +13,20 @@ checks:
         event_type: ftp
         ftp.command: PASV
         ftp.reply_truncated: true
+
+  # Look for anomaly event.
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.event: response_command_too_long
+
+  # Look for app-layer alert.
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2232001
+