From d54a3f3daeb5a39b22c5942fe9844ed4f6dfc8d8 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sun, 20 Apr 2025 15:32:58 -0400
Subject: [PATCH] detect/ftp: Tests for ftp.dynamic_port

Add tests for FTP's dynamic_port -- active and passive.

The ftp-active-dynamic_port-01 test case includes tests for the
comparison operands -- since the implementation uses the U16 matching
and parsing logic, only one test case has the additional test cases.
---
 .../ftp-active-dynamic_port-01/input.rules    |   7 ++
 .../ftp-active-dynamic_port-01/test.yaml      |  63 ++++++++++++++++++
 .../ftp-active-dynamic_port-02/Makefile       |   2 +
 .../ftp-active-dynamic_port-02/README.md      |   3 +
 .../ftp-active-dynamic_port.pcap              | Bin 0 -> 1720 bytes
 .../ftp-active-dynamic_port.syn               |  10 +++
 .../ftp-active-dynamic_port-02/input.rules    |   1 +
 .../ftp-active-dynamic_port-02/test.yaml      |  16 +++++
 .../ftp-passive-dynamic_port-01/input.rules   |   1 +
 .../ftp-passive-dynamic_port-01/test.yaml     |  14 ++++
 .../ftp-passive-dynamic_port-02/Makefile      |   3 +
 .../ftp-passive-dynamic_port.pcap             | Bin 0 -> 2313 bytes
 .../ftp-passive-dynamic_port.syn              |  14 ++++
 .../ftp-passive-dynamic_port-02/input.rules   |   1 +
 .../ftp-passive-dynamic_port-02/test.yaml     |  14 ++++
 15 files changed, 149 insertions(+)
 create mode 100644 tests/detect-ftp/ftp-active-dynamic_port-01/input.rules
 create mode 100644 tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml
 create mode 100644 tests/detect-ftp/ftp-active-dynamic_port-02/Makefile
 create mode 100644 tests/detect-ftp/ftp-active-dynamic_port-02/README.md
 create mode 100644 tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.pcap
 create mode 100644 tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.syn
 create mode 100644 tests/detect-ftp/ftp-active-dynamic_port-02/input.rules
 create mode 100644 tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml
 create mode 100644 tests/detect-ftp/ftp-passive-dynamic_port-01/input.rules
 create mode 100644 tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml
 create mode 100644 tests/detect-ftp/ftp-passive-dynamic_port-02/Makefile
 create mode 100644 tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.pcap
 create mode 100644 tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.syn
 create mode 100644 tests/detect-ftp/ftp-passive-dynamic_port-02/input.rules
 create mode 100644 tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-01/input.rules b/tests/detect-ftp/ftp-active-dynamic_port-01/input.rules
new file mode 100644
index 000000000..c322d5ed2
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-01/input.rules
@@ -0,0 +1,7 @@
+alert ftp any any -> any any (msg: "Match on FTP active port #1"; flow:to_server; ftp.dynamic_port: 59914; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP active port #2: equality"; flow:to_server; ftp.dynamic_port: =59926; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP active port #3: >="; flow:to_server; ftp.dynamic_port: >=59926; sid:3;)
+alert ftp any any -> any any (msg: "Match on FTP active port #4: <="; flow:to_server; ftp.dynamic_port: <=59926; sid:4;)
+alert ftp any any -> any any (msg: "Match on FTP active port #5: <"; flow:to_server; ftp.dynamic_port: <59927; sid:5;)
+alert ftp any any -> any any (msg: "Match on FTP active port #6: >"; flow:to_server; ftp.dynamic_port: >59925; sid:6;)
+alert ftp any any -> any any (msg: "Match on FTP active port #7: range"; flow:to_server; ftp.dynamic_port: 59925-59927; sid:7;)
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml b/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml
new file mode 100644
index 000000000..435d03d59
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-01/test.yaml
@@ -0,0 +1,63 @@
+pcap: ../../bug-3519/input.pcap
+
+requires:
+  version: 8
+
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59914
+        alert.signature_id: 1
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 2
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 3
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 4
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 5
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 6
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.dynamic_port: 59926
+        alert.signature_id: 7
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/Makefile b/tests/detect-ftp/ftp-active-dynamic_port-02/Makefile
new file mode 100644
index 000000000..054932ac4
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/Makefile
@@ -0,0 +1,2 @@
+ftp-active-dynamic_port.pcap: ftp-active-dynamic_port.syn
+	flowsynth.py -f pcap -w $@ $^
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/README.md b/tests/detect-ftp/ftp-active-dynamic_port-02/README.md
new file mode 100644
index 000000000..35b1cea36
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/README.md
@@ -0,0 +1,3 @@
+pcap made with flowsynth
+
+https://github.com/secureworks/flowsynth
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.pcap b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7558fd8063dff281e18948254df6ebca47263d11
GIT binary patch
literal 1720
zc-n=Oc}Ns-6vuzr;baF<X<>y^AXur*&gQk0C8lOsZLOM>rR(f(b-i}oS=|adBvh(D
z%A!L$FtC!6@*pZLMUC(vD(S$C0<p44lA^<0vp2sP8<S=I!FOkQ{P^&BZ{N<drm9O$
zXaX8OLqiCSgXg}x<5OnsppZX&7ea-a9{<eC`)b?Tet|+^2zd$DR!_3Dj)UU_$F&-{
z!bKN>qIRN@Wr|2ijh87|?F+)MdR4v4FFkqte~Lg5NXQj92<aeG)H7+spB5>*cgmDS
z8}D0gH=J<$)^_5FLl-bWSUm$MXGBWxE()!Mq7bX$#%x=HNBfKwB|U_qk|=jZxnSZl
zmqz`-WLbvx3b&YO4L0Xs^WteP0{3%*Z1<?sXE*!QIncAReQ-=WE3wNL?P?P#6aqyd
zpQ0wch>aL{n}0a*6QL+2O1)hQ*fn<}6r%~-LTB^XENYc$Wv$8OXZ|d2xY$y*-d*W%
z^j3%)(b_9&WhGH44vIpKecAlFKCjDGaKP6>DC;CjnOzEKc`pNZrGi$cV=a$q-h?@W
zeh+O)!L&)s^H!r-=PTN3INA1t_hMW4+AH2=gXV<}hv)_=Cbn^+?R*`%PhyL`HB`Q`
zzN>YmQ#q*yNR(Q;6tJ~Dh2;&=X#Tm0YJ)mit>~qD+H1GMc+>m+ISvO|4Dlptk)m2Z
zrqBi`3fUBe3K8C3`z_hZ63QxxQf-$4YDJZ>eM*LoGA0``X+E3dFwg6=)1~Qk=w-$8
z2Gz?~OXF?^J<eO^aC)AQ3Zlr0iszCklmSH{6P0T|h8E1b-Z87Dh)@zF%1OHvP<+F|
z+|^s6>0CCK^=A|+MUX-j=*KWB7Q;sX$LLi7ftXS0IKL#7K7do?Dwiu+zg)3}%PDdT
zaoU1E!8Jao>aY2CI-GI^BwlF2JRr7UG*Bo7ibDE(w9_odJsJx=aVw#0mndiLQlJIu
z7)+UAXwn8}%*fDY>P8Nm4mD=-1|2rT-^`Gi4EHp#()y;3cn6$%n;%hE5;~+E2zK}b
z#6!A>eT!)Cnns}&P!!VJm-X}Lgl%C_-R`2juS9t;%D!vZzRek-%`uVD($=QQM$hq_
zI@agc_om-`@t8(E#HdL$YD}ll8Yl`ma=Cf@lA69)%H?Paq4-Obd!vkchK&wA7v7l)
lI>KnwCGEk|vX*9yFmwMh{qy}J4=qgxr;cg%gP7ey=r4hneJ}t3

literal 0
Hc-jL100001

diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.syn b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.syn
new file mode 100644
index 000000000..b67be599f
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/ftp-active-dynamic_port.syn
@@ -0,0 +1,10 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:21 (tcp.initialize; mss: 9000;);
+default < (content:"220 (Ftp Server)\x0d\x0a";);
+default > (content:"USER user\x0d\x0a";);
+default < (content:"331 Please specify the password.\x0d\x0a";);
+default > (content:"PASS password\x0d\x0a";);
+default < (content:"230 Login successful.\x0d\x0a";);
+default > (content:"EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|34325|\x0d\x0a";);
+default < (content:"200 EPRT command successful. Consider using EPSV\x0d\x0a";);
+default < (content:"QUIT\x0d\x0a";);
+default < (content:"221 Goodbye.\x0d\x0a";);
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/input.rules b/tests/detect-ftp/ftp-active-dynamic_port-02/input.rules
new file mode 100644
index 000000000..ba85abcfc
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP active port #1"; ftp.dynamic_port: 34325; sid:1;)
diff --git a/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml b/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml
new file mode 100644
index 000000000..a3fe08054
--- /dev/null
+++ b/tests/detect-ftp/ftp-active-dynamic_port-02/test.yaml
@@ -0,0 +1,16 @@
+pcap: ftp-active-dynamic_port.pcap
+
+requires:
+  version: 8
+
+args:
+- -k none
+checks:
+
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        ftp.command: EPRT
+        ftp.dynamic_port: 34325
+        alert.signature_id: 1
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-01/input.rules b/tests/detect-ftp/ftp-passive-dynamic_port-01/input.rules
new file mode 100644
index 000000000..17e57972b
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-01/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP EPSV port"; flow:to_server; ftp.dynamic_port: 58612; sid:1;)
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml b/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml
new file mode 100644
index 000000000..e6d25b2f5
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-01/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../../ftp-epsv/input.pcap
+
+requires:
+  version: 8
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: EPSV
+        ftp.dynamic_port: 58612
+        alert.signature_id: 1
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/Makefile b/tests/detect-ftp/ftp-passive-dynamic_port-02/Makefile
new file mode 100644
index 000000000..bb99b73f5
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/Makefile
@@ -0,0 +1,3 @@
+ftp-passive-dynamic_port.pcap: ftp-passive-dynamic_port.syn
+	flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.pcap b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a0a0db5236743d44fe3a42a977ca52857b76f9fb
GIT binary patch
literal 2313
zc-n=Q4^We39LFE_0@28jP87JThY}8i#$Zesk?}{=;mE}R0TCJ73mc8G_6`ubIO9Om
zE-ozpz=;=$QE7tG1%iP}oMdKZUEUEEQC!>=_J_O51nl=d&s%SGySHcey=}jH?z7K*
z_w0T5*~sY*8S+Gbtvh!R@_^^+Q;g+MHiOo{Yd&WWO;)^gWZO4i&2{Jbpmc=7`EAMG
zu1g-UWUvByQ2=a|^Ax=dBbP6we3v6qe&WVZOQLQz?!~um{hPuQcoGT#4nk&#ul_!a
zxC4~3WQ$1g9G#aRwaJ>^W$S$;UBCdb`lUcQNGXT&7_<?FeC{vX-`u$(@U|xRnwn4&
z1xo*aTv*}~h|w)z#>Ogf_<ENE8(3#G>x@_;=eh0qq8(Zj+F$hAUVFipGjIN{T@A5o
zqIOjU3`&6^pL!pQqg>af36VL^5Q<8m47;U(-PpGX<rvbla23Zosg`A{sC9eRw0hj-
zFW;wVJ}p^&4P-gds-s%*g$&ArA)ll5Nmplrcel)?rClSG41w~7TMB4JMT5I42J3CC
zkz+CEU`^K2TI{m0*kR<jno6fxL2W~}iM9!9->#W)dEq9%)elRSxE#_-Z1bq?98h3C
zN%_vOKZd+^$oe{yQwSwqpbWaDfbIMzaClP;hQHmY+C-74c4_7I1ASVbxG$DnVI_-f
zg@h6{Ema%e&Y(;f^0~fguxivx&*g?Rog|dU1xl}53aGW5g43r`VqImK)sDF;lZoZH
z(kh$K-axUaxaysthEFFl{YEZp-j-}H6w*T!W2s_;kwHl?<nzI~wcUqhJ7u05<|he7
zAyD3TO991U8$yPBLpC)kE)k9D0)KBj+seM`_;pYwSy~Syk{Cr%qc9VLpg)p(qP%yl
zJ2r4}GKk$rD31!1KDQJw@;wiw#i()46WTnSUF%>Iu`Yq?`I!Gv7&jK#_-yo8|I@(_
zN){Fg86kQ>RPQ68tc4+;y2T7x+`6!$EboPRLQx8o3vMZ(*RcYj?0kJX)>5Z_R&+A1
z?CNgrY@2(;J9n#OWg`$3aq_25`%4*=14BMtrB~Xuv6c@TjH%^>vO%C6cS`}M#~y;p
zluB%<vARqatGx`nDsigSZgke-ib^vpoVWTiQ8o2?`Ly=tvW0WOAJ0nGr-DrJs?J}i
zYNkazZ;R;01OCT;Q=L$}zDn}EQ3|MDNF~44Txz7Yibgg+@35<`ukAs-Qzeq+O+hro
z=m%=F2ow_x`CNW^>fVX^l;9^nzgtcyIRd5KEd`9&QT`SYkJIfg*2#CLhwF&7n#GyW
z91f3-qK}vabySQhLa6fla#4Ib&Y1T6#S_ZWxq>*!Dm8GQ_9NoMRD9?u2EJTGQmpFT
z+n1c*ICcC-e?rj+lrwHAAU-sWP*!?&7Pi{W><)#+RbiuYM{J^;=DGMT)q7j2H@9^q
zNww<X2b(j9+({}|Qo$fS|HlBbXJg0DIz^$^3pW;S5=yE->2XT|xr4h9Qmd7Cz0qo8
r&HQ<+bg*_@3h#sp_t-_tS!Xx%%w5q-2XyB*OIDZxpAkVUUqR?k6I0$X

literal 0
Hc-jL100001

diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.syn b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.syn
new file mode 100644
index 000000000..43e05218c
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/ftp-passive-dynamic_port.syn
@@ -0,0 +1,14 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:21 (tcp.initialize; mss: 9000;);
+default < (content:"220 (Ftp Server)\x0d\x0a";);
+default > (content:"USER user\x0d\x0a";);
+default < (content:"331 Please specify the password.\x0d\x0a";);
+default > (content:"PASS password\x0d\x0a";);
+default < (content:"230 Login successful.\x0d\x0a";);
+default > (content:"SYST\x0d\x0a";);
+default < (content:"215 UNIX Type: L8\x0d\x0a";);
+default > (content:"TYPE I\x0d\x0a";);
+default < (content:"200 Switching to Binary mode.\x0d\x0a";);
+default > (content:"PASV\x0d\x0a";);
+default < (content:"227 Entering Passive Mode (2,2,2,2,185,13).\x0d\x0a";);
+default > (content:"RETR index.html\x0d\x0a";);
+default < (content:"550 Failed to open file.\x0d\x0a";);
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/input.rules b/tests/detect-ftp/ftp-passive-dynamic_port-02/input.rules
new file mode 100644
index 000000000..0d2449330
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP EPSV port"; flow:to_server; ftp.dynamic_port: 47373; sid:1;)
diff --git a/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml b/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml
new file mode 100644
index 000000000..85ccf5924
--- /dev/null
+++ b/tests/detect-ftp/ftp-passive-dynamic_port-02/test.yaml
@@ -0,0 +1,14 @@
+pcap: ftp-passive-dynamic_port.pcap
+
+requires:
+  version: 8
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        ftp.command: PASV
+        ftp.dynamic_port: 47373
+        alert.signature_id: 1
-- 
2.47.2