diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro index f98e33b315..717b3a0669 100644 --- a/scripts/base/protocols/ftp/main.bro +++ b/scripts/base/protocols/ftp/main.bro @@ -213,7 +213,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior # on a different file could be checked, but the file size will # be overwritten by the server response to the RETR command # if that's given as well which would be more correct. - c$ftp$file_size = extract_count(msg); + c$ftp$file_size = extract_count(msg, F); } # PASV and EPSV processing diff --git a/scripts/base/utils/numbers.bro b/scripts/base/utils/numbers.bro index da8c15d7a0..d2adb49ea2 100644 --- a/scripts/base/utils/numbers.bro +++ b/scripts/base/utils/numbers.bro @@ -1,10 +1,26 @@ -## Extract the first integer found in the given string. -## If no integer can be found, 0 is returned. -function extract_count(s: string): count + +## Extract an integer from a string. +## +## s: The string to search for a number. +## +## get_first: Provide `F` if you would like the last number found. +## +## Returns: The request integer from the given string or 0 if +## no integer was found. +function extract_count(s: string, get_first: bool &default=T): count { - local parts = split_string_n(s, /[0-9]+/, T, 1); - if ( 1 in parts ) - return to_count(parts[1]); + local extract_num_pattern = /[0-9]+/; + if ( get_first ) + { + local first_parts = split_string_n(s, extract_num_pattern, T, 1); + if ( 1 in first_parts ) + return to_count(first_parts[1]); + } else - return 0; + { + local last_parts = split_string_all(s, extract_num_pattern); + if ( |last_parts| > 1 ) + return to_count(last_parts[|last_parts|-2]); + } + return 0; } diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-get-file-size/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-get-file-size/ftp.log new file mode 100644 index 0000000000..e4e7d8b877 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-get-file-size/ftp.log @@ -0,0 +1,15 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ftp +#open 2016-03-11-17-40-18 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p fuid +#types time string addr port addr port string string string string string count count string bool addr addr port string +1457455890.667768 CXWv6p3arKYeMETxOg 192.168.21.95 54089 164.107.123.6 21 - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,187) T 192.168.21.95 164.107.123.6 47035 - +1457455890.667768 CXWv6p3arKYeMETxOg 192.168.21.95 54089 164.107.123.6 21 - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,187) - - - - - +1457455891.781896 CXWv6p3arKYeMETxOg 192.168.21.95 54089 164.107.123.6 21 - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,231) T 192.168.21.95 164.107.123.6 47079 FaFkMs3Gc0F1kvwXD +1457455894.380514 CXWv6p3arKYeMETxOg 192.168.21.95 54089 164.107.123.6 21 - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,211) T 192.168.21.95 164.107.123.6 47059 Fm58Rm14ZG2Ai7nW9g +1457455900.398202 CXWv6p3arKYeMETxOg 192.168.21.95 54089 164.107.123.6 21 - PASV - - - 227 Entering Passive Mode (164,107,123,6,183,197) T 192.168.21.95 164.107.123.6 47045 FnxQXApi8WTTWNyH1 +1457455900.530943 CXWv6p3arKYeMETxOg 192.168.21.95 54089 164.107.123.6 21 - RETR ftp://164.107.123.6/mirror/internic/rfc/rfc1001.txt text/plain 154427 226 File send OK. - - - - FJblKh2PaOnGa8zcmg +#close 2016-03-11-17-40-18 diff --git a/testing/btest/Traces/ftp/ftp-with-numbers-in-filename.pcap b/testing/btest/Traces/ftp/ftp-with-numbers-in-filename.pcap new file mode 100644 index 0000000000..02b4254ef2 Binary files /dev/null and b/testing/btest/Traces/ftp/ftp-with-numbers-in-filename.pcap differ diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro b/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro new file mode 100644 index 0000000000..4791d31460 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro @@ -0,0 +1,5 @@ +# This tests extracting the server reported file size +# from FTP sessions. +# +# @TEST-EXEC: bro -r $TRACES/ftp/ftp-with-numbers-in-filename.pcap +# @TEST-EXEC: btest-diff ftp.log