From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sat, 26 Apr 2025 12:16:34 +0000 (-0400)
Subject: test/ftp: Tests for ftp.mode keyword
X-Git-Tag: suricata-7.0.11~60
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2508%2Fhead;p=thirdparty%2Fsuricata-verify.git

test/ftp: Tests for ftp.mode keyword

Issue: 7505

Add tests for the ftp.mode keyword for active, passive, and rule keyword
validation checks on the keyword option value.
---

diff --git a/tests/detect-ftp/ftp-mode-01/input.rules b/tests/detect-ftp/ftp-mode-01/input.rules
new file mode 100644
index 000000000..fda30b325
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-01/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: active; sid:1;)
diff --git a/tests/detect-ftp/ftp-mode-01/test.yaml b/tests/detect-ftp/ftp-mode-01/test.yaml
new file mode 100644
index 000000000..191fb7443
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-01/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  version: 8
+
+pcap: ../../bug-3519/input.pcap
+
+checks:
+
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.mode: active
+        alert.signature_id: 1
diff --git a/tests/detect-ftp/ftp-mode-02/input.pcap b/tests/detect-ftp/ftp-mode-02/input.pcap
new file mode 100644
index 000000000..811c225d1
Binary files /dev/null and b/tests/detect-ftp/ftp-mode-02/input.pcap differ
diff --git a/tests/detect-ftp/ftp-mode-02/input.rules b/tests/detect-ftp/ftp-mode-02/input.rules
new file mode 100644
index 000000000..fd600bee9
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-02/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP passive mode #1"; flow:established; ftp.mode:passive; sid:1;)
diff --git a/tests/detect-ftp/ftp-mode-02/test.yaml b/tests/detect-ftp/ftp-mode-02/test.yaml
new file mode 100644
index 000000000..0583a7998
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-02/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  version: 8
+
+pcap: ../../ftp-epsv/input.pcap
+
+args:
+ -  -k none
+
+checks:
+
+  - filter:
+      count: 8
+      match:
+        event_type: alert
+        ftp.mode: passive
+        alert.signature_id: 1
diff --git a/tests/detect-ftp/ftp-mode-03/input.rules b/tests/detect-ftp/ftp-mode-03/input.rules
new file mode 100644
index 000000000..b2b654fe3
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-03/input.rules
@@ -0,0 +1,3 @@
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: suricata; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: xpassive; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: xactive; sid:3;)
diff --git a/tests/detect-ftp/ftp-mode-03/test.yaml b/tests/detect-ftp/ftp-mode-03/test.yaml
new file mode 100644
index 000000000..af5086ddf
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-03/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  version: 8
+  pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+
+  - shell:
+      args: grep "error parsing signature" suricata.log | wc -l | xargs
+      expect: 3