From: Jeff Lucovsky Date: Mon, 20 Jan 2025 15:12:07 +0000 (-0500) Subject: test/ftp: FTP command tests X-Git-Tag: suricata-7.0.9~69 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c80caf23867ba05ece836ca40968bc730f09aa71;p=thirdparty%2Fsuricata-verify.git test/ftp: FTP command tests Issue: 7502 Add test cases for the keyword ftp.command: - Validate matches - Validate keyword can't be used for server responses --- diff --git a/tests/detect-ftp/ftp-command-01/input.rules b/tests/detect-ftp/ftp-command-01/input.rules new file mode 100644 index 000000000..120bde19f --- /dev/null +++ b/tests/detect-ftp/ftp-command-01/input.rules @@ -0,0 +1,6 @@ +alert ftp any any -> any any (msg: "Match on FTP command PASS"; flow:to_server; ftp.command; content:"PASS"; sid:1;) +alert ftp any any -> any any (msg: "Match on FTP command USER"; flow:to_server; ftp.command; content:"USER"; sid:2;) +alert ftp any any -> any any (msg: "Match on FTP command NLST"; flow:to_server; ftp.command; content:"NLST"; sid:3;) +alert ftp any any -> any any (msg: "Match on FTP command PORT"; flow:to_server; ftp.command; content:"PORT"; sid:4;) +alert ftp any any -> any any (msg: "Match on FTP command RETR"; flow:to_server; ftp.command; content:"RETR"; sid:5;) +alert ftp any any -> any any (msg: "Match on FTP command QUIT"; flow:to_server; ftp.command; content:"QUIT"; sid:6;) diff --git a/tests/detect-ftp/ftp-command-01/test.yaml b/tests/detect-ftp/ftp-command-01/test.yaml new file mode 100644 index 000000000..b5fd8058b --- /dev/null +++ b/tests/detect-ftp/ftp-command-01/test.yaml @@ -0,0 +1,49 @@ +pcap: ../../bug-3519/input.pcap + +requires: + version: 8 + + +checks: + + - filter: + count: 1 + match: + event_type: alert + ftp.command: PASS + alert.signature_id: 1 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: USER + alert.signature_id: 2 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: NLST + alert.signature_id: 3 + + - filter: + count: 2 + match: + event_type: alert + ftp.command: PORT + alert.signature_id: 4 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: RETR + alert.signature_id: 5 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: QUIT + alert.signature_id: 6 diff --git a/tests/detect-ftp/ftp-command-02/input.rules b/tests/detect-ftp/ftp-command-02/input.rules new file mode 100644 index 000000000..3b0c2c6ee --- /dev/null +++ b/tests/detect-ftp/ftp-command-02/input.rules @@ -0,0 +1,7 @@ +# Wrong direction -- won't load +alert ftp any any -> any any (flow:to_client; ftp.command; content:"PASS"; sid:10;) +alert ftp any any -> any any (flow:to_client; ftp.command; content:"USER"; sid:20;) +alert ftp any any -> any any (flow:to_client; ftp.command; content:"NLST"; sid:30;) +alert ftp any any -> any any (flow:to_client; ftp.command; content:"PORT"; sid:40;) +alert ftp any any -> any any (flow:to_client; ftp.command; content:"RETR"; sid:50;) +alert ftp any any -> any any (flow:to_client; ftp.command; content:"QUIT"; sid:60;) diff --git a/tests/detect-ftp/ftp-command-02/test.yaml b/tests/detect-ftp/ftp-command-02/test.yaml new file mode 100644 index 000000000..688161dd2 --- /dev/null +++ b/tests/detect-ftp/ftp-command-02/test.yaml @@ -0,0 +1,26 @@ +pcap: ../../bug-3519/input.pcap + +requires: + version: 8 + +exit-code: 1 + +checks: + - shell: + args: grep "rule 10 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep "rule 20 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep "rule 30 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep "rule 40 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep "rule 50 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep "rule 60 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1