From 88adf0faa14bd8cbd446ba4b8b040c2046943bba Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sat, 26 Apr 2025 08:16:34 -0400
Subject: [PATCH] test/ftp: Tests for ftp.mode keyword

Issue: 7505

Add tests for the ftp.mode keyword for active, passive, and rule keyword
validation checks on the keyword option value.
---
 tests/detect-ftp/ftp-mode-01/input.rules |   1 +
 tests/detect-ftp/ftp-mode-01/test.yaml   |  14 ++++++++++++++
 tests/detect-ftp/ftp-mode-02/input.pcap  | Bin 0 -> 1530 bytes
 tests/detect-ftp/ftp-mode-02/input.rules |   1 +
 tests/detect-ftp/ftp-mode-02/test.yaml   |  16 ++++++++++++++++
 tests/detect-ftp/ftp-mode-03/input.rules |   3 +++
 tests/detect-ftp/ftp-mode-03/test.yaml   |  14 ++++++++++++++
 7 files changed, 49 insertions(+)
 create mode 100644 tests/detect-ftp/ftp-mode-01/input.rules
 create mode 100644 tests/detect-ftp/ftp-mode-01/test.yaml
 create mode 100644 tests/detect-ftp/ftp-mode-02/input.pcap
 create mode 100644 tests/detect-ftp/ftp-mode-02/input.rules
 create mode 100644 tests/detect-ftp/ftp-mode-02/test.yaml
 create mode 100644 tests/detect-ftp/ftp-mode-03/input.rules
 create mode 100644 tests/detect-ftp/ftp-mode-03/test.yaml

diff --git a/tests/detect-ftp/ftp-mode-01/input.rules b/tests/detect-ftp/ftp-mode-01/input.rules
new file mode 100644
index 000000000..fda30b325
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-01/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: active; sid:1;)
diff --git a/tests/detect-ftp/ftp-mode-01/test.yaml b/tests/detect-ftp/ftp-mode-01/test.yaml
new file mode 100644
index 000000000..191fb7443
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-01/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  version: 8
+
+pcap: ../../bug-3519/input.pcap
+
+checks:
+
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        ftp.command: PORT
+        ftp.mode: active
+        alert.signature_id: 1
diff --git a/tests/detect-ftp/ftp-mode-02/input.pcap b/tests/detect-ftp/ftp-mode-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..811c225d144857c412bd4c45675ab9f68dbd4182
GIT binary patch
literal 1530
zc-p0u-)hrP9LG=ExoPUO3cYb&{Mf}<p^HtjZgaxipjjC@Elq}hhG<CQ2)0Q$N!4EY
z5PJe&!B-IW1m5g5242@+a(?NGE~8-K%OU6F_xXL!Nt0hce|#^oIhOy%V=+GX{qRFN
zu2V`FgRv%KyKHx!v2Tn?X)bnHtxB~~NmQ5S#$%~mUPu|z3=CGg*a2KajuhShmyy;r
zD8yJT@Q{!rb*qAr)|PSP6siph`b*WRT1{(0mxudSw+*VID@_|rkAL<!tme~uK^Tk%
z;V`C^IvlHyHAUUnQdC9L)pv_>YLK4o289f?YwSC@!I5e7;A0XA$_<?PN+C*8u#XOs
zDmg{h)hW?_c;W{TeriDM1ul%jAqOWMM13#uz#G_pA8gm<UL1oRi{;3U<1Zn172z>I
z`)(@ea+-T|_e}G0Hw!rPo<fx4g58`VsWy2kdUI+ww&SFxC)^Ga&usvDC){@uKMZg&
ziuxmxzR5DnEYwaZkgj3Nv%H=8#<T?C7G6E25aCII@EKB;Cc<h9j$RzR25S^~+wgo#
z;AC9dq!3Oo5L!ay`Q#K|_AF2}eO+KGGrSmNb&jZ&=@;WRjxmL5!vcksD;54HLVpo)
z7KIeL*XR!}4^>^;_v~bd4}4pO!?txOL(ecRFs+`khZp9-TSN4?gZH;6)I+_xha~;g
z1B}2Gkh?6a%0iH}g0mVRNS>V4tF{27U&v<^0(1&2WW1M8ELxke{Ad~c7@Q&JUXXz6
YbI(aap8vP+u}mflq3Z?c`ZSvT0km@#YybcN

literal 0
Hc-jL100001

diff --git a/tests/detect-ftp/ftp-mode-02/input.rules b/tests/detect-ftp/ftp-mode-02/input.rules
new file mode 100644
index 000000000..fd600bee9
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-02/input.rules
@@ -0,0 +1 @@
+alert ftp any any -> any any (msg: "Match on FTP passive mode #1"; flow:established; ftp.mode:passive; sid:1;)
diff --git a/tests/detect-ftp/ftp-mode-02/test.yaml b/tests/detect-ftp/ftp-mode-02/test.yaml
new file mode 100644
index 000000000..0583a7998
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-02/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  version: 8
+
+pcap: ../../ftp-epsv/input.pcap
+
+args:
+ -  -k none
+
+checks:
+
+  - filter:
+      count: 8
+      match:
+        event_type: alert
+        ftp.mode: passive
+        alert.signature_id: 1
diff --git a/tests/detect-ftp/ftp-mode-03/input.rules b/tests/detect-ftp/ftp-mode-03/input.rules
new file mode 100644
index 000000000..b2b654fe3
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-03/input.rules
@@ -0,0 +1,3 @@
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: suricata; sid:1;)
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: xpassive; sid:2;)
+alert ftp any any -> any any (msg: "Match on FTP active mode"; flow:established; ftp.mode: xactive; sid:3;)
diff --git a/tests/detect-ftp/ftp-mode-03/test.yaml b/tests/detect-ftp/ftp-mode-03/test.yaml
new file mode 100644
index 000000000..af5086ddf
--- /dev/null
+++ b/tests/detect-ftp/ftp-mode-03/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  version: 8
+  pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+
+  - shell:
+      args: grep "error parsing signature" suricata.log | wc -l | xargs
+      expect: 3
-- 
2.47.2