From: Cole Dishington Date: Tue, 23 May 2023 02:28:13 +0000 (+1200) Subject: ftp: Add test for FTP bounce attack detection X-Git-Tag: suricata-7.0.0~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1284%2Fhead;p=thirdparty%2Fsuricata-verify.git ftp: Add test for FTP bounce attack detection Add test for false positive and true positive FTP bounce detection. Bug: #6087 --- diff --git a/tests/ftp/ftp-bounce/Makefile b/tests/ftp/ftp-bounce/Makefile new file mode 100644 index 000000000..32cfed79c --- /dev/null +++ b/tests/ftp/ftp-bounce/Makefile @@ -0,0 +1,4 @@ +FLOWSYNTH?=flowsynth.py + +test.pcap: test.syn + $(FLOWSYNTH) -f pcap -w $@ $^ diff --git a/tests/ftp/ftp-bounce/README.md b/tests/ftp/ftp-bounce/README.md new file mode 100644 index 000000000..833c2fe52 --- /dev/null +++ b/tests/ftp/ftp-bounce/README.md @@ -0,0 +1,8 @@ +# Test Purpose + +Test that an FTP bounce is not detected for a valid FTP PORT command but is +detected for an invalid FTP PORT command. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/ftp/ftp-bounce/test.pcap b/tests/ftp/ftp-bounce/test.pcap new file mode 100644 index 000000000..a9821b0e9 Binary files /dev/null and b/tests/ftp/ftp-bounce/test.pcap differ diff --git a/tests/ftp/ftp-bounce/test.rules b/tests/ftp/ftp-bounce/test.rules new file mode 100644 index 000000000..b08879b52 --- /dev/null +++ b/tests/ftp/ftp-bounce/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"FTP bounce attack"; ftpbounce; sid:1;) \ No newline at end of file diff --git a/tests/ftp/ftp-bounce/test.syn b/tests/ftp/ftp-bounce/test.syn new file mode 100644 index 000000000..a275aad2c --- /dev/null +++ b/tests/ftp/ftp-bounce/test.syn @@ -0,0 +1,19 @@ +# This is a valid FTP control transaction for active session +flow valid tcp 1.1.1.2:33112 > 2.2.2.1:21 (tcp.initialize; mss:9000;); +valid < (content:"220 Operation successful\x0d\x0a";); +valid > (content:"USER anonymous\x0d\x0a";); +valid < (content:"230 Operation successful\x0d\x0a";); +valid > (content:"PORT 1,1,1,2,232,157\x0d\x0a";); +valid < (content:"200 Operation successful\x0d\x0a";); +valid > (content:"QUIT\x0d\x0a";); +valid < (content:"221 Operation successful\x0d\x0a";); + +# This is a FTP control transaction attempting a bounce attack +flow attack tcp 1.1.1.2:58316 > 2.2.2.1:21 (tcp.initialize;); +attack < (content:"220 Operation successful\x0d\x0a";); +attack > (content:"USER anonymous\x0d\x0a";); +attack < (content:"230 Operation successful\x0d\x0a";); +attack > (content:"PORT 2,2,2,3,0,80\x0d\x0a";); +attack < (content:"200 Operation successful\x0d\x0a";); +attack > (content:"QUIT\x0d\x0a";); +attack < (content:"221 Operation successful\x0d\x0a";); diff --git a/tests/ftp/ftp-bounce/test.yaml b/tests/ftp/ftp-bounce/test.yaml new file mode 100644 index 000000000..7c242b6a6 --- /dev/null +++ b/tests/ftp/ftp-bounce/test.yaml @@ -0,0 +1,38 @@ +checks: + # Match on the valid FTP connection, discern by user port 33112 + - filter: + count: 1 + match: + src_port: 33112 + event_type: ftp + ftp.mode: active + ftp.command: PORT + ftp.dynamic_port: 59549 + ftp.reply_received: 'yes' + # First FTP connect is all valid, no alerts should be generated + - filter: + count: 0 + match: + src_port: 33112 + event_type: alert + alert.signature_id: 1 + app_proto: ftp + + # Match on the FTP bounce connection, discern by user port 58316 + - filter: + count: 1 + match: + src_port: 58316 + event_type: ftp + ftp.mode: active + ftp.command: PORT + ftp.dynamic_port: 80 + ftp.reply_received: 'yes' + # Catch the attack + - filter: + count: 1 + match: + src_port: 58316 + event_type: alert + alert.signature_id: 1 + app_proto: ftp