From 8125f78f5f40a5969c681a55f84bf1ee09a9ea65 Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Wed, 1 Feb 2017 10:24:52 +0100
Subject: [PATCH] app-layer-ftp: detect FTP alproto when using AUTH TLS

Try to detect FTP using the patterns '220 (' and 'FEAT', since 'USER '
and 'PASS ' are not sent in cleartext when using AUTH TLS.
---
 src/app-layer-ftp.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/app-layer-ftp.c b/src/app-layer-ftp.c
index 681f7ab9c2..f21c73f722 100644
--- a/src/app-layer-ftp.c
+++ b/src/app-layer-ftp.c
@@ -379,6 +379,16 @@ static int FTPGetAlstateProgress(void *tx, uint8_t direction)
 
 static int FTPRegisterPatternsForProtocolDetection(void)
 {
+    if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_FTP,
+                                              "220 (", 5, 0, STREAM_TOCLIENT) < 0)
+    {
+        return -1;
+    }
+    if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_FTP,
+                                               "FEAT", 4, 0, STREAM_TOSERVER) < 0)
+    {
+        return -1;
+    }
     if (AppLayerProtoDetectPMRegisterPatternCI(IPPROTO_TCP, ALPROTO_FTP,
                                                "USER ", 5, 0, STREAM_TOSERVER) < 0)
     {
-- 
2.47.2