From d98ab00fcb52a4b704d69214b635f5ca2249a7cb Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 27 Apr 2021 09:15:24 +0200
Subject: [PATCH] Adds test about ftp epsv response parsing

---
 tests/ftp-epsv/README.md  |   8 ++++++++
 tests/ftp-epsv/input.pcap | Bin 0 -> 10658 bytes
 tests/ftp-epsv/test.yaml  |  13 +++++++++++++
 3 files changed, 21 insertions(+)
 create mode 100644 tests/ftp-epsv/README.md
 create mode 100644 tests/ftp-epsv/input.pcap
 create mode 100644 tests/ftp-epsv/test.yaml

diff --git a/tests/ftp-epsv/README.md b/tests/ftp-epsv/README.md
new file mode 100644
index 000000000..df9a30638
--- /dev/null
+++ b/tests/ftp-epsv/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test FTP EPSV response parsing
+
+# PCAP
+
+The pcap comes from https://www.cloudshark.org/captures/abdc8742488f
+(first answer for `ftp epsv pcap`)
diff --git a/tests/ftp-epsv/input.pcap b/tests/ftp-epsv/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bf22acc103d52cf43fcad8ccd4818c3e4213173c
GIT binary patch
literal 10658
zc-ozs32+o;7Jxe!35kOsAV(!@n?*#9kW9!)HWJ7X269X?0~n6Lkm-<MG85(if(VfW
z#5G)k8}V2Hvn*%;xx~c<S6naFFi>*HAwd_%5?#?0iUN{-?={nz?)?1au2oY4p}zOt
z_x}Iy*Z*+h-QAmlg;2r&UwgYC1i}ATUwdzCm-j=2eE2nfgr4Hdp~HnfZE-~-BLssW
zjEbH)N*L8;!<>I?4SEAUU$tcly+iBmXYen-9^BskWvd_rhlcG93JDQ{f+8Y+w=(A^
z{8?zQOiuv%c=$bjWUd^8=ot_I==+W$86yb2+cN7M1;0Xsvm5WZcjLe~nI0M(5t;GR
zwv9-KNWn<n4&>1Q9nH#nM6{Li_Gt1x3-nvH-P_wAeO6HNMKTiS+CqgD09(;H*Y3hX
zUkMVu_iJ*!h1A-<VOuxMmWe=n6{&iCyl8Sd##&6-VnSSET)b5@OU`+cQyk>~<1D+w
zUQ^}pxNiUCA#rL#nm#TeIW;aJPM?@CT^EUYjg&&~RB3mpbQV==>s+ZRn<_P^Dt&b=
z5I;K@CFBAumqpBsE+t|yli0VtJ#MQ)yn)1tW<!x!=C0O7BD>q6sE%y47DxDIki{~!
zMN>BLFV%Jr+gf_R-(qtg<Rfv*TAi>8V5?ZfS|6=YZ$Bmx`tr|Ig_wlI#KeRE@s*C*
z6?W0_=upum*==Ht!{Zc79aYtpl3Nm`Dr-fhXtmj#lFKDpUGk5stuEJmhtn1(*E{nW
z9j`k!ayd)m@)BgY2D?)}BhY1Y(mEhMVF=@OM<U{6CK0+5dr~3ZLZT_lY?ix&?A^fT
zbcc40*QRl~2Ke7$cdVIym)kcX|5+e@bS6~r0L;T8&i2vj^u{xZ(4DDme&WtmNYp3B
z2Xx0;T8idpJFRxNWE(0%AKcE0Qg?;J4nM4}uB?G3U=qvEa<@nsDVwQL_8lbhE;hk-
z*sp9{FeZY;i|0axaR3{~BBn>rW^NIg2u*nXrkZFjHe2LOZ=MU~HGsCBca}!iyTHDR
z4Vcj@P}jI%Bp&@NRG0{`i7aA{j~1XepGkxUT-&N9>JyU0iTTDyL`zMzlrH9`%4wS}
za0Qo>juMTIs}SfE3EtLO@UIuRf-9J-Tqc5G?=>}XtRd^R;EO3?!W=-(Vd<FWqut|8
z)#x|{?CYrG!3IUgdRa%pu(6WW?SZA29x3K!Tk;~sB7@l?nk_|!EclJtIK?1G9+(;?
zOn{&hSdstWqebYQq=|gXA35hrr^uqgZj;e3rH1kJ&mmdUG_tNEp7eWEveqMUFQ51*
z5vO)07KRhCvNQ2aT9}XnupAaKExMA36PZM4=zG`IMAPJKx%4-Vb5AVVh~5&l)xvN<
zx8sH>*{4|jvwy>Ex~Gd^1(=mZH2Y{Rdo!6t=+oh66yj#;Q&Nf;J3LmbaEYZJr&F@K
zMO%eaDs?-Y{?jR=XBVF9D&|?z4nYT!>vWZw&Cda`&ylXY&0{BG5t9h64|S}E2qYRz
z=1ICp<YohxBbzp*cbZ1cz|eX}7|NbH)vsoE3$l?Yv~(4m0CTd4HXp5A?+_*tWM_V;
zChGNRuqoV<v%)@GG%Rq#Gh4EWCU_!O%#*}ChfNX(En2iFDK$Akzvv;krn;7{Jo^sT
zLE{L6EGD7-nV$r@+TDW0H@sZ?P9o+riC}+kjGCBh#AgF?hu-WeECA#Jma92F+LPV^
z8dsBm9fhvu98p{yLv}(^yjV~z*-=%Nd5qC0R-qr8)oq0l$8MMCIVzSpoMKr;r6g8X
zxZH9cU*F^!b5VU}O?^?2O9L5Oud46Z1|WV5D{hJ)e>zo`>!Y*5o299&!C%?a3;dPs
ziIZ1BvS@*sz*Q!7Olz>$Fw(Ah0x$QMDfb5%xi?Yn9lhy_(KZ6{QbV_nR~RiZBf6Q0
z_b`dj?Nw0<u^$pG#U_Jj)I}os@TzXSCpVo7UW3L;6VQ9oLDb^6a^N!3_3`oa(1uCY
zExH~4Af>Cj@q}!r^!sVj?+JnSqmW0E1Jgfn8HqQ6Xa<;>MKnb3AYwR^2tpRDQ4{g`
ziG!V|N{X{NO68<?KGRLe19~3I%)>r9-@LgRGy5UT0D6?ZteE+R%p@d=iD@JBBV>5$
zI<AqOlz$&h{sSPuVKUNBmH#(LJPJh4f$%yJyEBPkWcL&`Q9h25J9x<5yyMuxnkWhn
z1A8zY$3<2}!;i?`1jPG{0`EAkCgKB3B8W{nt`KjK*xz;>C#EFC$K!E~85}fnH|Q>M
z)m!6gFl5n&_9uU$a&-fVeRBogdfZFIASMy)FBzaF78xu>s`ZE=2IUI8M$9E`7LB$x
z2s4rz(O<0%iE~Z_@h%(a8RFG3iO`6qLw@30y^t7q){i#kXB8FS`LOS(O&mnKLY!6O
zmRz^n^T5d<UVHYD%pMw<BkLSRsnnj*K$&m#LgMvhA-uDno+jROb)`kA{z{iVrBoU(
zFFE$vkC9$m9>UB0J?28d+)b2woRWKgjE2M=PloW8*850&?h2C#ORH{~nuu=?otD=7
zPloW8mYehxYV?>OOfD|1LXS#Me<X%42^A&*Y!Zt&&gUUw29pTF>y|3SQAotY6CN!o
z@u{%L^m=`gUe5c?CEPc{4@gbBMolh6vZ3rrzo^uV`U?=t&vg+B09L>vW<`HU#2=VM
zkbQSgg&2#(F_W`JPj#ikYIEr#5#M;O3s3Ys(o&$&VuKLHC^|3BujTE041vVv3tfZ~
zfR(U_Cf|G_>X}3k{rpxnQ4f0<lZHiIWwqNxmxpdY$~={F{$pCXZxJ7no?kV3iXmbx
z3NJbksORl`B;Eod=Z)<M5w9_cILD4t6X}f&vGtFI^F%KoEqNL(wSX=m(ZPzAV!!C4
zi^GL-fR(d|Q+zc<9LOYs=*H`6qWs2odu`nD#SP<DED7f+{}&0mp%GL9vA2-&dX=E!
z?Lb^}EP^*Fd`!fvOd=?6-lq`tNR%f9<Q@Vp$N54sG(lr%3$ShIJo|IMp${^Vjl@?z
ziQr8Nj}fsylL*d#Z&VY1>!gsJmYR%{0%kDuL<G-%3%UA5<H`nE(4Eux;y_m)WFoQd
zR0QvYIYz{<nMAO^W2c&EwiFbJMTV^GJcFEY-CXY5^CD7a)F?XzA?8vOHYm!B{w5fA
zL<;aiL!VB>a^K@b?8PKP6Sj9WVLB53mnk8zuFH@GrxC|V+m9M;bL$-DNNj}hXGL2g
zW`e}>eo?%cU@_G-TwRwr(qES+QK`#@)H}@t7%91b6fgI$DEC%I?y;2n8CCAKJveSA
z>3ECiYa$+F5@8WtxuFmrMq=KCY!Rj}Hyk~>NW>eGbi75hgw%}HsELITi*XTUDx+r0
zEDV9fo((!-8o;Kpi21%+))mZcBFH}bg+eSxViGK(+X<(OWAWlZT2SF~yX5R!8@S(w
zTqZf^HF6e1ybRPmW^<sNmhv}&IAn6LPzbO>7I94UH$?oHNd(>X7KNCDM89syNy0I}
zwr#<}<G_BLrN`lWg7kFN=*fT}D^X94ayN0j5re26F2j{jvEnc>+y8V4c(hm6h^0=+
z>XvMBGL^3e^Zb2F)t=Q<yAl$bkNzIMKd{>4jep0h!gmCozyA>N2$Kl@79LlK1xPH)
zQ~ARHtv!QyQ_xcK_n^k#d<gO)`g8a7`#ULN5S)TA2x|($XwUcJzMp(Y<$S6s=S7IP
z4h4-A1Isxn9Rgz8<}lv<&J`khnMAzKn5qyhNW=*)4$dAV2W<)CnW<xqE#`GVZ$dM*
zTl{8DHzA!jA7Zpuws3Fszo$A*Y3gW#h&$0t>YIUeoNhwm;=gil^nYNUbTSdlJU>=V
zr1=oB-e~Uqdp&81)o9rX=xwOwPnQ%e&9WBm{W}JHA%;6Sw^1D@G<9r)phw9}gQ||^
zQ+OwMK8mwuVg?g&J(CD#%B%`;84~GEFiRJS<ZTzCcz1%!NX{^goTEVBg>u$)^~<@k
z5b4@G!P`NyTX_$~m?4z@3!3zIL7>l3i0BMV|H?uneg(uk&$Tf_nL=bDo-%vXM0u`7
zZtWLQyeV`!>9|{?<8xr|M;*V$X>|O?DKsfLiKbA@AoAZ_SHq~X4VudK*EuXb$W=yX
zS2165UBwe|4U-72T+7u&`RfDZ4z0P1H#t1X`d-V@1K0;~a_C>LxT;4s5})|nUA!+O
zRuD0qNd)_Y2PwoANc{i4kia}f9Jq_ug9I}6tj5?u$R!7Ra9^9s*oxCYywVuV8$h38
zebr*g@mDtfqEgv;d0nvwP>i(lIo=aJCW&%i%gB8O<*x4b`SW;Vv?xfJ4zTGgVnIwY
z5j{*Ite@nk6yj<mnvE8NIA&a4LAIEZlA^kv!eCby1@RWuA4$|mji?zA@Kan=y)OGj
zU40D$BJraoL4pJ@iA9|3dzy%Sm_$(D=QD+f$Ny>^M>}#(7fq70ssi>iEF>E&HJqz3
z==fUR*btLK&Q@!jeF}k>Vi)?`1D#!MZUti6ZXItIrxI}mlL%dKHYvnLBo<CI!Y)Sc
zJ9~7336Lh1p3%Mr*0gR}3hWE0C$_g=&(Bt5>-7m@j>BP_RfFph`PF-Q6M9S<<-Jmq
z_XUVS|6b|dmjd(t*^0!FeOzKX5gVAq9zcAtGjaVH?mN&**1zGftO06kZI7_6-M?2H
v;Ok-IMIfHu&Rxc<h?sIm;z5Pj=qE1U!Cg@!sp_XSRks3lEqRnwRX6?@V%;m>

literal 0
Hc-jL100001

diff --git a/tests/ftp-epsv/test.yaml b/tests/ftp-epsv/test.yaml
new file mode 100644
index 000000000..69848da45
--- /dev/null
+++ b/tests/ftp-epsv/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 6.0.0
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: ftp
+        ftp.command: "EPSV"
+        ftp.dynamic_port: 58612
-- 
2.47.2