From 84a057cb4c7fd650b8e0cba48c3788b8a43f011f Mon Sep 17 00:00:00 2001
From: Cole Dishington <Cole.Dishington@alliedtelesis.co.nz>
Date: Tue, 23 May 2023 14:28:13 +1200
Subject: [PATCH] ftp: Add test for FTP bounce attack detection

Add test for false positive and true positive FTP bounce detection.

Bug: #6087
---
 tests/ftp/ftp-bounce/Makefile   |   4 ++++
 tests/ftp/ftp-bounce/README.md  |   8 +++++++
 tests/ftp/ftp-bounce/test.pcap  | Bin 0 -> 2697 bytes
 tests/ftp/ftp-bounce/test.rules |   1 +
 tests/ftp/ftp-bounce/test.syn   |  19 ++++++++++++++++
 tests/ftp/ftp-bounce/test.yaml  |  38 ++++++++++++++++++++++++++++++++
 6 files changed, 70 insertions(+)
 create mode 100644 tests/ftp/ftp-bounce/Makefile
 create mode 100644 tests/ftp/ftp-bounce/README.md
 create mode 100644 tests/ftp/ftp-bounce/test.pcap
 create mode 100644 tests/ftp/ftp-bounce/test.rules
 create mode 100644 tests/ftp/ftp-bounce/test.syn
 create mode 100644 tests/ftp/ftp-bounce/test.yaml

diff --git a/tests/ftp/ftp-bounce/Makefile b/tests/ftp/ftp-bounce/Makefile
new file mode 100644
index 000000000..32cfed79c
--- /dev/null
+++ b/tests/ftp/ftp-bounce/Makefile
@@ -0,0 +1,4 @@
+FLOWSYNTH?=flowsynth.py
+
+test.pcap: test.syn
+	$(FLOWSYNTH) -f pcap -w $@ $^
diff --git a/tests/ftp/ftp-bounce/README.md b/tests/ftp/ftp-bounce/README.md
new file mode 100644
index 000000000..833c2fe52
--- /dev/null
+++ b/tests/ftp/ftp-bounce/README.md
@@ -0,0 +1,8 @@
+# Test Purpose
+
+Test that an FTP bounce is not detected for a valid FTP PORT command but is
+detected for an invalid FTP PORT command.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/ftp/ftp-bounce/test.pcap b/tests/ftp/ftp-bounce/test.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a9821b0e90f6ebb72f3f31a788a3c02528dcc386
GIT binary patch
literal 2697
zc-n=O4NMbf0EWLZCafw$1_&aou&n}?LQ8332y>`Jjj@%ML|Fg{KbtFUK|~<~8Re(C
zEE<9c1R0ZXF&o=LkY!_*&C$*H2a6k!h6xS|xYe#sTsPT7_T7Dj50?7%nm27Om#5FY
zmwSf{-RE6^D_A@h764$uZ*_q-N8rN-V)&cRCkd~gY}zUKSvu)@%pL3iAe6pr>#8Hy
zSuB<dJXn?cfe*ZpO;cnp9N?aZD1ZB6%ACi9%^?1L{P`Bm=9LthK$CzE<N%NZvs&iG
z0d5ZvrNj?YgoSO@ETwgz+H4#rx~zuDm3czSETUZ4zy>nf4@S}QW!k5;{pRZD8r>L5
zlAY4^KbKs_#g7AORPeurQ5<PO?%}K>hcs$VQE_&5Zc$NQasFC1&EK#QTUMTF8~wHC
z*v@tNW4%r-D;P^7vaAYZgJgJ;j_&T`_4)G;7n&~*>}DvjcFI={DbTXQ1VE~MM+zrP
ztx=b%G{r^8Z7c}8$r8KP_$FVTaMKOHM|=(yFaeC)RphpogBwg~;P!3erluY!A8sW!
zh$wV}NwC3aQiJMXZ0WT<{9M1;-9N_s)=grA0Wi&s<!8vUBZLk1z>{>mq<>AaZ=XJx
z-&0q`P!jEw9)}cYIV*+tCrwds1U&j9<O!pNJVA^E8G@Iwp&-p#H)Aq2_<uO@5wXW+
z`eMeg$^LG=f_q&5L*uQkN7MD4U(5Q4Jt7L-BlHzUk$ODE#g<uTD^HXSrd#jyM%suy
z3ScfWmdBChx0~2t3p`0DY}*^2ep&zc+YYzB$x!%q%6ASa&@xjGz`oR73S<-%hK<gL
ziuV`ls;I<k(|TfW7hxofQ3*1VhvVL!1n3UD9cCz)3D=U}U_^mNRS)SmSU~7azZqM$
zOj9wU&cYUtGP#A=n*?TnvCKf0le}g3IyJ_(Rit~!Mtk*+DW;n%my@z@o}7;<%G#h4
z)Jq>*6s}L$PiqWvmMte$hA7t~mn~;zwn}lu_fE|VQ_)11rRAi`5oMnM_ijBs+xG8`
zp^+aI&n7&rcgAIDIYZ{0EvH$CEvG1V5K``Uwcb{;*Qq75oK!Zl^cCUd95VEW-j2x0
zm~VOiisR*6L4lTm8pq42jKOZ}jQ7I4g+krji0l{Qb68qVN{-x`#JE9&vi{`WgK>YR
zJ-VMsY;b8gLk68K=N}Sm`R=KZ&&%4nfBLQcQVp@erRAjJkmbfWHrNGE(uth%{677X
zYLD?yf{3BS+bLf-q(I9X@%H5u(yPgf=0)*hqmW*~t5{FhJ#bX%I^J(-pBW^UNDm&L
z(c>b$&Ujqn+>4_PCi63VZN~jvVu^@Cm)PNKHoX(D<-KU_2kn8k45h}qb;J_+i?d0s
zL6*shcs50OsrtwA+R5S8Zn5LpTtR`B^ShVNX8UW{$QrT5!g_Ea{F`$U8L>Bd@I;K!
zDr7XY75CQQ&FzbQr?FI^;vOgVhA7Y|SnF&yMM>B)xT-(m=*YHfIoktLh`osxXS2fs
Fz<&ixRiXd@

literal 0
Hc-jL100001

diff --git a/tests/ftp/ftp-bounce/test.rules b/tests/ftp/ftp-bounce/test.rules
new file mode 100644
index 000000000..b08879b52
--- /dev/null
+++ b/tests/ftp/ftp-bounce/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"FTP bounce attack"; ftpbounce; sid:1;)
\ No newline at end of file
diff --git a/tests/ftp/ftp-bounce/test.syn b/tests/ftp/ftp-bounce/test.syn
new file mode 100644
index 000000000..a275aad2c
--- /dev/null
+++ b/tests/ftp/ftp-bounce/test.syn
@@ -0,0 +1,19 @@
+# This is a valid FTP control transaction for active session
+flow valid tcp 1.1.1.2:33112 > 2.2.2.1:21 (tcp.initialize; mss:9000;);
+valid < (content:"220 Operation successful\x0d\x0a";);
+valid > (content:"USER anonymous\x0d\x0a";);
+valid < (content:"230 Operation successful\x0d\x0a";);
+valid > (content:"PORT 1,1,1,2,232,157\x0d\x0a";);
+valid < (content:"200 Operation successful\x0d\x0a";);
+valid > (content:"QUIT\x0d\x0a";);
+valid < (content:"221 Operation successful\x0d\x0a";);
+
+# This is a FTP control transaction attempting a bounce attack
+flow attack tcp 1.1.1.2:58316 > 2.2.2.1:21 (tcp.initialize;);
+attack < (content:"220 Operation successful\x0d\x0a";);
+attack > (content:"USER anonymous\x0d\x0a";);
+attack < (content:"230 Operation successful\x0d\x0a";);
+attack > (content:"PORT 2,2,2,3,0,80\x0d\x0a";);
+attack < (content:"200 Operation successful\x0d\x0a";);
+attack > (content:"QUIT\x0d\x0a";);
+attack < (content:"221 Operation successful\x0d\x0a";);
diff --git a/tests/ftp/ftp-bounce/test.yaml b/tests/ftp/ftp-bounce/test.yaml
new file mode 100644
index 000000000..7c242b6a6
--- /dev/null
+++ b/tests/ftp/ftp-bounce/test.yaml
@@ -0,0 +1,38 @@
+checks:
+  # Match on the valid FTP connection, discern by user port 33112
+  - filter:
+      count: 1
+      match:
+        src_port: 33112
+        event_type: ftp
+        ftp.mode: active
+        ftp.command: PORT
+        ftp.dynamic_port: 59549
+        ftp.reply_received: 'yes'
+  # First FTP connect is all valid, no alerts should be generated
+  - filter:
+      count: 0
+      match:
+        src_port: 33112
+        event_type: alert
+        alert.signature_id: 1
+        app_proto: ftp
+
+  # Match on the FTP bounce connection, discern by user port 58316
+  - filter:
+      count: 1
+      match:
+        src_port: 58316
+        event_type: ftp
+        ftp.mode: active
+        ftp.command: PORT
+        ftp.dynamic_port: 80
+        ftp.reply_received: 'yes'
+  # Catch the attack
+  - filter:
+      count: 1
+      match:
+        src_port: 58316
+        event_type: alert
+        alert.signature_id: 1
+        app_proto: ftp
-- 
2.47.2