From 1b3e8a611eca06d043a31c7f3552a21f275a44d2 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 20 Feb 2023 15:32:27 +0100
Subject: [PATCH] ftp/main: Skip get_pending_command() for intermediate reply
 lines

Intermediate lines of multiline replies usually do not contain valid status
codes (even if servers may opt to include them). Their content may be anything
and likely unrelated to the original command. There's little reason for us
trying to match them with a corresponding command.

OSS-Fuzz generated a large command reply with very many intermediate lines
which caused long processing times due to matching every line with all
currently pending commands.
This is a DoS vector against Zeek. The new ipv6-multiline-reply.trace and
ipv6-retr-samba.trace files have been extracted from the external ipv6.trace.
---
 scripts/base/protocols/ftp/main.zeek          |  14 ++++++++--
 .../ftp.log                                   |  15 +++++++++++
 .../out                                       |  25 ++++++++++++++++++
 .../ftp.log                                   |  14 ++++++++++
 .../out                                       |  16 +++++++++++
 .../scripts.policy.protocols.ftp.ftp/.stderr  |   1 +
 .../scripts.policy.protocols.ftp.ftp/ftp.log  |  12 +++++++++
 .../Traces/ftp/ipv6-multiline-reply.trace     | Bin 0 -> 6154 bytes
 .../btest/Traces/ftp/ipv6-retr-samba.trace    | Bin 0 -> 4103 bytes
 .../protocols/ftp/ftp-multiline-reply.zeek    |  13 +++++++++
 .../base/protocols/ftp/ftp-samba-retr.zeek    |  13 +++++++++
 .../scripts/policy/protocols/ftp/ftp.zeek     |   7 +++++
 12 files changed, 128 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-multiline-reply/ftp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-multiline-reply/out
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-samba-retr/ftp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-samba-retr/out
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ftp.ftp/.stderr
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ftp.ftp/ftp.log
 create mode 100644 testing/btest/Traces/ftp/ipv6-multiline-reply.trace
 create mode 100644 testing/btest/Traces/ftp/ipv6-retr-samba.trace
 create mode 100644 testing/btest/scripts/base/protocols/ftp/ftp-multiline-reply.zeek
 create mode 100644 testing/btest/scripts/base/protocols/ftp/ftp-samba-retr.zeek
 create mode 100644 testing/btest/scripts/policy/protocols/ftp/ftp.zeek

diff --git a/scripts/base/protocols/ftp/main.zeek b/scripts/base/protocols/ftp/main.zeek
index d56c276886..1ebb8cf16c 100644
--- a/scripts/base/protocols/ftp/main.zeek
+++ b/scripts/base/protocols/ftp/main.zeek
@@ -316,12 +316,22 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
 event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=5
 	{
 	set_ftp_session(c);
+
+	# Skip matching up intermediate reply lines (that do not have a
+	# valid status code) with pending commands. Because they may not
+	# have a proper status code, there's little point setting whatever
+	# their reply_code and reply_msg are on the command unless to ensure
+	# c$ftp$reply_code is actually populated with "something".
+	if ( cont_resp && code == 0 && c$ftp?$reply_code )
+		return;
+
 	c$ftp$cmdarg = get_pending_cmd(c$ftp$pending_commands, code, msg);
 	c$ftp$reply_code = code;
 	c$ftp$reply_msg = msg;
 
-	# TODO: figure out what to do with continued FTP response (not used much)
-	if ( cont_resp ) return;
+	# Do not parse out information from any but the first reply line.
+	if ( cont_resp )
+		return;
 
 	# TODO: do some sort of generic clear text login processing here.
 	local response_xyz = parse_ftp_reply_code(code);
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-multiline-reply/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-multiline-reply/ftp.log
new file mode 100644
index 0000000000..3901e065d3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-multiline-reply/ftp.log
@@ -0,0 +1,15 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ftp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
+#types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	58895	2400:3000:20:100::46	21	<unknown>	-	<init>	-	-	-	220	FTP server ready.	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	58895	2400:3000:20:100::46	21	anonymous	-	USER	anonymous	-	-	331	Guest login ok, send your email address as password.	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	58895	2400:3000:20:100::46	21	anonymous	root@sponge.es.net	PASS	root@sponge.es.net	-	-	230	Guest login ok, access restrictions apply.	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	58895	2400:3000:20:100::46	21	anonymous	root@sponge.es.net	EPSV	-	-	-	229	Entering Extended Passive Mode (|||60931|)	T	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	2400:3000:20:100::46	60931	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	58895	2400:3000:20:100::46	21	anonymous	root@sponge.es.net	RETR	ftp://[2400:3000:20:100::46]/pub/FreeBSD/ports/local-distfiles/avl/libssh-0.5.2.tar.gz	-	-	221	You could at least say goodbye.	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-multiline-reply/out b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-multiline-reply/out
new file mode 100644
index 0000000000..b7d9c53a55
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-multiline-reply/out
@@ -0,0 +1,25 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ftp_reply, T, 220, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, T, 0, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, T, 0, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, T, 0, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, T, 0, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, T, 0, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, T, 0, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, T, 0, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, T, 0, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, T, 0, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, T, 0, Welcome to FTP.JPIX.ad.jp,
+ftp_reply, F, 220, FTP server ready.
+ftp_reply, F, 331, Guest login ok, send your email address as password.
+ftp_reply, F, 230, Guest login ok, access restrictions apply.
+ftp_reply, F, 257, "/" is current directory.
+ftp_reply, F, 250, CWD command successful.
+ftp_reply, F, 200, MODE S accepted.
+ftp_reply, F, 200, Type set to I.
+ftp_reply, F, 550, libssh-0.5.2.tar.gz: No such file or directory.
+ftp_reply, F, 200, MODE S accepted.
+ftp_reply, F, 200, Type set to I.
+ftp_reply, F, 229, Entering Extended Passive Mode (|||60931|)
+ftp_reply, F, 550, libssh-0.5.2.tar.gz: No such file or directory.
+ftp_reply, F, 221, You could at least say goodbye.
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-samba-retr/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-samba-retr/ftp.log
new file mode 100644
index 0000000000..0171f548f6
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-samba-retr/ftp.log
@@ -0,0 +1,14 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ftp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
+#types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:213:72ff:fe0d:a566	16730	2001:6f8:200:1::5:33	21	anonymous	-	USER	anonymous	-	-	331	Anonymous login ok, send your complete email address as your password	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:213:72ff:fe0d:a566	16730	2001:6f8:200:1::5:33	21	anonymous	root@freebsd-5453	PASS	root@freebsd-5453	-	-	230	Anonymous access granted, restrictions apply	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:213:72ff:fe0d:a566	16730	2001:6f8:200:1::5:33	21	anonymous	root@freebsd-5453	EPSV	-	-	-	229	Entering Extended Passive Mode (|||63282|)	T	2001:470:1f05:17a6:213:72ff:fe0d:a566	2001:6f8:200:1::5:33	63282	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:213:72ff:fe0d:a566	16730	2001:6f8:200:1::5:33	21	anonymous	root@freebsd-5453	RETR	ftp://[2001:6f8:200:1::5:33]/samba/samba-3.4.17.tar.gz	-	34826629	226	Transfer complete	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-samba-retr/out b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-samba-retr/out
new file mode 100644
index 0000000000..b6f51e7bcc
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-samba-retr/out
@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ftp_reply, F, 220, 2001:6f8:200:1::5:33 FTP server ready
+ftp_reply, F, 331, Anonymous login ok, send your complete email address as your password
+ftp_reply, F, 230, Anonymous access granted, restrictions apply
+ftp_reply, F, 257, "/" is the current directory
+ftp_reply, T, 250, See http://samba.org/ for a list of mirror sites
+ftp_reply, F, 250, CWD command successful
+ftp_reply, F, 200, Mode set to S
+ftp_reply, F, 200, Type set to I
+ftp_reply, F, 213, 34826629
+ftp_reply, F, 213, 20120430122210
+ftp_reply, F, 200, Mode set to S
+ftp_reply, F, 200, Type set to I
+ftp_reply, F, 229, Entering Extended Passive Mode (|||63282|)
+ftp_reply, F, 150, Opening BINARY mode data connection for samba-3.4.17.tar.gz (34826629 bytes)
+ftp_reply, F, 226, Transfer complete
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ftp.ftp/.stderr b/testing/btest/Baseline/scripts.policy.protocols.ftp.ftp/.stderr
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ftp.ftp/.stderr
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ftp.ftp/ftp.log b/testing/btest/Baseline/scripts.policy.protocols.ftp.ftp/ftp.log
new file mode 100644
index 0000000000..9b6ac207c3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ftp.ftp/ftp.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ftp
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
+#types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	58895	2400:3000:20:100::46	21	anonymous	root@sponge.es.net	EPSV	-	-	-	229	Entering Extended Passive Mode (|||60931|)	T	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	2400:3000:20:100::46	60931	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f05:17a6:d69a:20ff:fefd:6b88	58895	2400:3000:20:100::46	21	anonymous	root@sponge.es.net	RETR	ftp://[2400:3000:20:100::46]/pub/FreeBSD/ports/local-distfiles/avl/libssh-0.5.2.tar.gz	-	-	221	You could at least say goodbye.	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/ftp/ipv6-multiline-reply.trace b/testing/btest/Traces/ftp/ipv6-multiline-reply.trace
new file mode 100644
index 0000000000000000000000000000000000000000..a5296f437f9d1865f462dc0b4f9786e3f0833c70
GIT binary patch
literal 6154
zcmcJTe{2(F7{}lBx-sfHHxL~L!t25;ldbJKkqkAWtl;qI>NXi52)FC89(29t?z&N3
zq*F6VCbG!zSF8ewB1RL$2ogge0)u~a|IA-8`j;Xxt5b~rVWRbUdV7a#M{?@f>{+hs
zt>5SSd7t-r-}gq(96jJ5PQqTf93chprfTNw@W~T}<Po^WAn6MyJ}Mf0nf|eTSO3>r
z96~o)RJ5EHI1>vBZ+hdimuc=#_+%mR6GHL-^RJZ`uP1ZDv(BBtcl#Z=oVS_~hqG{h
z0ml_N9mOs#Gvg?Jb}OiT-atqPTw@qIh9;=BpMILu6g5o!_NnS*&c*9XE{%mi@$8XV
zxm@JMNwtE4f?^jRQh!H9r^8UZ1d3}x4a3AAwe0UKs5Ym|oQ}*VKo69-jH?dSJm721
z5Fw9&0LBzwGr(8Svae?Jm99whOM`|AAL^NbN`ZjCmg1{jiit{>M0JI(Yzuo=hnv=U
zg@|`sqQ>pQRJK4WPeB?OCaHuhr=qh|Hokq0RPy;4zj#FybSXmRIBiq5r<5AHT1W_S
zuaVPs$jP=rI0%DKuuoxwPzr<4GXtIf1S*@rHHL|Ek7efvne)LnO`IE+9Qz1)34}0A
z#6-(thnZM!vxykeZHvkp)g-lBQfcf8=R9EA6xSs+F6lJ5LyQXXPKmBiyfu{9BNObe
zgG6m(KbB`-HJyDasMx}OjNurBj$};ezfAyx{YxPB3UJ3TVZYTf`(K#Y=F=u(ljVJH
zJW@l~2r{6K3vm(3yd!l5e2b(>f+|MgFPbjvNnNUeOK}4K>o(%gHX#0?FQ(%^Y!m)$
z10yn6ZbHPs{~?IMPd-fWZ?=j*yPSz_d%{Ev@nd&`j@Ln3WnH2$4Fr91RE&$JmZtm-
z+T;yJlEZd#-wE8w(BA3XKL(Z800o8#3fVG>oeagkhp&MG?M8JyvCQY|>FI%fFYhq=
zzHbVVzuhFOvR72#UY`M_{&{<5Y4!q3caPb~8De*Wm|cx0JCZKrazl;NN8ld2ER9TB
zf<^oqjptX`Y;?g;W0(y0Qp>~r854V7m?nnHI&1f;Bt%jZo#amtw~c2OD%vqrImt7?
z7SW$!LE8%UFiiGK{(rJx%4X9QPDhFNYL$mtgDq5uEAdp9lGKb^DSgyM20;+R1ndUO
zV6y;r6!%Z(b}+E1om{3gP+wn1S0yD)hb6QVb}7pC8h{*+(3Fx?snjLNF)BnNs-!`a
z(P%=@v>ruei|8514|W{+Frm_5naXI%r5`;=rSv$XQg(t5rFMqzZEdBhqUg)DgaXUB
zSJJ$&th-%{U}tmS-9pk2@)#y~!dCJ8=m9)1C~00i$ME!)bD6RefqMTmJc1}94M3u+
zvZ%{S9MB{ZF)T>T>b9eW1iDo|OrTU*hLQy+?Fi+EuNjotQ9jgL9&T@RyQ)FTvx1N$
zNMV=&xW_Vpb^vf00mScO03JWaWoAbMOP10~UnQ<FVp3J5xK1OoDv7$HqF+p60Fvl~
z1TakeK497JW$@dLewFW;-#KG^=<#DK+8b#i+2LEMO45C;jlP7U>Y5Mte6iYytm#|j
zn56lH?wFBK@3%9F2DxCEP`TSOmG1DY;rU3#)5fUuNnB>mSYU~tVp4G8=n`PEXvus{
zY)!@{n0yB**l~Ouo)1j+B9l|kF(wrvAL^6VG&crmtJ`%OjKIiEP7(vN7$%1AuxxlQ
z7_LIY^UgEFPafwo6=J~er-mZM@=w5-2AraHRfW?Yr&ZweFgiVSj5)n|gbzJ=yls6r
zNSh3`Eyvts8@R+UaeBLDr*OO&u0^L&Cv)0Am&@Edf==5~2?@HOj)%#n37<zmIRUB|
zCRM)7YLySyg3purDlcR{=Lh*v|J>H54M7@{J2Wj?>-R442E4kUdOII=yA}iI!sm<0
z07zq)IDg2p^ON9w6*~W5j5*)+9+#OPTmnUHBEO7=6fE#4#c4(r^{NJdsl5fM*;4GQ
z01b2@r{l<ShGxMxd}!Butk`Qntz{->PqAMH5X}g}{U8G|P|al)d}ChhsQoHv+v2pj
z<kEOCI(^a4oK|k&Lj%>U*io&dzr>beA1?-{u#lwrbsfy<?n7Lra)Vj1qp}9d8==rJ
zOp5(h%f;RfKIfs&Q_!1?r$Y<R^P$~`g5lP+ZdWa6t$)49mPLGg9=P0uE=N9PE(dSq
zG7HZK0u3~X&jaLmCp-^;(`p3Hs$tm5$lVfMqeLXSsJFNG4u3;^U2nCKRa14bExXF$
zO+bLhUFGHv83E68d}#1SFL?j*9iyTA=cZz)0Ov=3V=C2qP^Bf<)?zlR-7eG@11?*d
z$~X_~dyxHW6E6AC&{tfhde6UVDwtZj-eu1K^uPf0rOTa;wG9l-;vA;u0~N<J&Pf%M
zu1c+T)$u+6up?cT=0AsRka0|U;eIZ&IEN~wpaQ3-|NIzqLIp5i^jxhH2-MN_N)k3C
z$yfxR2E-%*_Vk*NqMeEo=}1YijA1GZAeGgS3dWR~jeohp^2~;F1R-HqJoi6K2!8V|
VcA<PDkFp$4!Y+C$O3(k2|6iHd?6&{_

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/ftp/ipv6-retr-samba.trace b/testing/btest/Traces/ftp/ipv6-retr-samba.trace
new file mode 100644
index 0000000000000000000000000000000000000000..6d4a1334b6b5d7982fe232c22be701d40d1502ce
GIT binary patch
literal 4103
zcmb`KZD?C%6vt1}G<FFsHtXCRL!VV;Rns&tZMNluTU}FZVeO@f-B#wyZSPGNm*j?f
zZ#pw86vS<?iTJ?}4qqnX1SeCbD1!-`LpJ?jK|2^jhaZ$#P@IGLQo;H^x$U~GcW?(O
zoN|-E^FP1;bI$XeJ9YZl+ivpE{NL;>kqaMozV~ncxi5*H#4`s?oIU=9mzL`F?`HP=
z@U&~<FtvC$3YVvNZ|(BK?xp(dfA~eXynnl`1&C@X);UDW_Fnqu3@>oVJv;m9$3$*V
z?IBl9jo0I@^Lf4r9^&6vEs(CE0X%b9I+iBX_?uPU_|2=|tWL{1ho;MYJy1Mb4BRzw
z?&k$HR%nMpFP7r4;c0Tra~3MS(w!cEQ=^sp1Dm{5!lE2Dxo>csdoSlMt)QXER-$M$
zETZ9XBoWW7OW+|9NhCTFv6$#iOTtj~F;y43Dl6rBALD)0<)tC$bJ*bBe_MDZX@$qX
z{|}<aQ^^4#7qmh-uayi->AuOj1tTjZal=+MImRsk_q=o`4K3em8M*)4I(il9bJ!U9
z)NQT|BcJ<)C>D!|&Uplp(?+ueq3sO9!-68pT1gipTE3W5O;xCQIhzx*qUfq&2-&cH
zF3N_nOVbq#|BdhJXc+l%*ccsjZ1j25(MdL1{+dYYOr?abY39a^uByX^(%RA95wjHE
zKjNoxh;i81((TxmlQ8@;*ViLop}u0_>uixnMi_ZimkXw<1W{Rrsb@#btX6;##bR!*
z%(i~ur+%ctVMBknWBSXWzryt9B<QzvS*X7S8z_gBIc!klj!~}w^(v#Tx(d{ewW7JL
zS!4}i?oh=@N!QhaDU__Pj+mN0hc?>UKwBWoVS~2XG1}GXa(@$}HNHf&X-k(d<ovMQ
z7OMB<(5P)=E}CEkgbiY^Q^fwJy_aU(jM%Z85yP!1RTVo-vzTaWt0;yveY8zvG+oFd
zmo-eGWkf!!>-fURnkw3v^I5*zMH!^RVUthTaXvV`tb7z)0?0=&I$A3)qtA>|rNA<!
zoTd5@RI70s&$wZB2B)zvZ~|omo_$#P+D)?f-dg2!8|PNWHl~gfZSL<%ij<Z63rjro
z1kB>Facqra$1-rt$2<7)K{yr;i_My%;#@L?sm+UBgjiK@d@!oaRk`s^qVzT?DS9lN
z*Iw~f2d5020ORbzO~^Rua`76@oY<cbQ(zm1O_PNj?@j<X2N*~Bj40JJl(f36H5O_Q
zMb?H)Sr3iwwg5kGT|&4}D`B%=&5rl$004swI5`EtNKC}q*G1#;=z2>h6<SgqwjkIJ
zGF$NgDz7WO`POVd9rG_tX^Su87RPJ{!Pd=ekFB=YqTxt1+#bXKXfzU@E0s_D)hWhq
z5FTa1RO^kswWg<`I>mStJbjhkYPe-@oq<?YdaDmOrz*V_Sm>=h4x{D^uIk{N0?r`g
zyf|&!TP*e##3a-?hfQy-blh8mz?ov4T!JVmr3UMLynfvY58<k*giRlHIj*%Sz-(uj
zzm@_fx?UtPbm-Z_s7O9*Vk%P=Az|jqj;Yp(*fKso9*;%WMaLhsGFjQ_t<LSSeYz}p
zc$RNGO~j028}6u14_hn4!)JcQTTL=OVBf>6Ia%wY*WoLNjjtJ}zDgeWI>x@%{74kR
z4cuQ;3vBD7J$;=6+eDtP7ezK@T+4+5W*<y<mHD7DF5Gx@ikA7qO$?VYEX+B7WS_q}
z&X2+Q!HV;kw?2dm$1l{73<Ef9TzJ^A3xo46^xVVM6&Gm?wMGW7OY?Jny^jS0-&f~_
zaE4LxQX`6JgN5?W^VgN<;zQZ-8<La<$}XvqhMIo2R=#-s%8Q2^$1kxnyO48%$0pAC
Ee;8qT82|tP

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-multiline-reply.zeek b/testing/btest/scripts/base/protocols/ftp/ftp-multiline-reply.zeek
new file mode 100644
index 0000000000..dad917a587
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-multiline-reply.zeek
@@ -0,0 +1,13 @@
+# @TEST-DOC: Tests that c$ftp$reply_msg stays the same over a multiline reply.
+# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv6-multiline-reply.trace %INPUT > out
+# @TEST-EXEC: btest-diff ftp.log
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/conn
+@load base/protocols/ftp
+
+redef FTP::logged_commands += { "<init>", "USER", "PASS" };
+
+event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) {
+	print "ftp_reply", cont_resp, code, cat(c$ftp$reply_msg);
+}
diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-samba-retr.zeek b/testing/btest/scripts/base/protocols/ftp/ftp-samba-retr.zeek
new file mode 100644
index 0000000000..1ad8c6863a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-samba-retr.zeek
@@ -0,0 +1,13 @@
+# @TEST-DOC: Tests interemediate lines to not confuse cwd tracking.
+# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv6-retr-samba.trace %INPUT > out
+# @TEST-EXEC: btest-diff ftp.log
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/conn
+@load base/protocols/ftp
+
+redef FTP::logged_commands += { "USER", "PASS", "RETR" };
+
+event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) {
+	print "ftp_reply", cont_resp, code, cat(c$ftp$reply_msg);
+}
diff --git a/testing/btest/scripts/policy/protocols/ftp/ftp.zeek b/testing/btest/scripts/policy/protocols/ftp/ftp.zeek
new file mode 100644
index 0000000000..bfdc88b2d0
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ftp/ftp.zeek
@@ -0,0 +1,7 @@
+# @TEST-DOC: Smoke the policy/protocols/ftp scripts don't fall apart.
+# @TEST-EXEC: zeek -b -r $TRACES/ftp/ipv6-multiline-reply.trace %INPUT
+# @TEST-EXEC: btest-diff ftp.log
+# @TEST-EXEC: btest-diff .stderr
+
+@load protocols/ftp/detect
+@load protocols/ftp/detect-bruteforcing