From 8f96ac3b777e65c193d9c8b8dac72b9fbc786859 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Mon, 28 Nov 2022 11:07:19 +0100 Subject: [PATCH 1/3] ftp: ignore invalid commands Do not propagate wrong FTP commands to script land. --- src/analyzer/protocol/ftp/FTP.cc | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/src/analyzer/protocol/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc index bfdd42da34..914c6c2c8b 100644 --- a/src/analyzer/protocol/ftp/FTP.cc +++ b/src/analyzer/protocol/ftp/FTP.cc @@ -63,6 +63,20 @@ static uint32_t get_reply_code(int len, const char* line) return 0; } +// The minimal length of an FTP command is 3 characters (PWD, MKD, +// RMD, ...) and should only contain printable ascii. +static bool is_ftp_cmd(int len, const char* s) + { + if ( len < 3 ) + return false; + + for ( int i = 0; i < len; i++ ) + if ( ! isprint(s[i]) || isspace(s[i]) ) + return false; + + return true; + } + void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) { analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig); @@ -91,10 +105,13 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) util::get_word(end_of_line - line, line, cmd_len, cmd); line = util::skip_whitespace(line + cmd_len, end_of_line); - if ( cmd_len == 0 ) + if ( ! is_ftp_cmd(cmd_len, cmd) ) { - // Weird("FTP command missing", end_of_line - orig_line, orig_line); - cmd_str = new StringVal(""); + if ( AnalyzerConfirmed() ) + Weird("FTP_invalid_command"); + + // Ignore the whole line. + return; } else if ( BifConst::FTP::max_command_length > 0 && static_cast(cmd_len) > BifConst::FTP::max_command_length ) From cf375cf362a6556f292f9f474d28667f77e7c057 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Mon, 28 Nov 2022 11:09:50 +0100 Subject: [PATCH 2/3] ftp: Harden reply handing a bit and don't raise bad replies to script-land This improves runtime of the oss-fuzz generated traffic in #125. Specifically, that reproducers included a 064- reply code that was interpreted as needing to be continued. Also, return after AnalyzerViolations() for server replies rather than propagating bad replies them to script-land. This trusts server's to generally behave according to specification. --- src/analyzer/protocol/ftp/FTP.cc | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/src/analyzer/protocol/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc index 914c6c2c8b..f0dcdeb5a4 100644 --- a/src/analyzer/protocol/ftp/FTP.cc +++ b/src/analyzer/protocol/ftp/FTP.cc @@ -166,25 +166,39 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig) } else { // a new reply - if ( reply_code > 0 && length > 3 && line[3] == '-' ) + cont_resp = 0; + + if ( reply_code == 0 ) + { + AnalyzerViolation("non-numeric reply code", (const char*)data, length); + return; + } + else if ( reply_code < 100 ) + { + AnalyzerViolation("invalid reply code", (const char*)data, length); + return; + } + else if ( length > 3 && line[3] == '-' ) { // a continued reply pending_reply = reply_code; line = util::skip_whitespace(line + 4, end_of_line); cont_resp = 1; } + else if ( length > 3 && line[3] != ' ' ) + { + // This is a proper reply code, but there's no space after + // the reply code even though the line is long enough. + AnalyzerViolation("invalid reply line", (const char*)data, length); + return; + } else { // a self-contained reply - if ( reply_code > 0 ) - line += 3; - else - AnalyzerViolation("non-numeric reply code", (const char*)data, length); + line += 3; if ( line < end_of_line ) line = util::skip_whitespace(line, end_of_line); else line = end_of_line; - - cont_resp = 0; } } From 942f829825d9b7b09d4e3ddd46d2501f267fc448 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 30 Nov 2022 19:21:10 +0100 Subject: [PATCH 3/3] testing/ftp: Add tests and pcaps with invalid reply lines These have been created artificially. The tests show that for an invalid reply line without a numeric code, with a numeric code < 100 or a numeric code not followed by a space we now raise an analyzer violation and disable the analyzer. --- .../conn.log | 11 +++++++++++ .../dpd.log | 11 +++++++++++ .../ftp.log | 13 +++++++++++++ .../conn.log | 11 +++++++++++ .../dpd.log | 11 +++++++++++ .../ftp.log | 13 +++++++++++++ .../conn.log | 11 +++++++++++ .../dpd.log | 11 +++++++++++ .../ftp.log | 13 +++++++++++++ .../btest/Traces/ftp/ftp-invalid-reply-code.pcap | Bin 0 -> 2031 bytes .../btest/Traces/ftp/ftp-missing-reply-code.pcap | Bin 0 -> 2034 bytes .../ftp/ftp-missing-space-after-reply-code.pcap | Bin 0 -> 2028 bytes .../protocols/ftp/ftp-invalid-reply-code.zeek | 11 +++++++++++ .../protocols/ftp/ftp-missing-reply-code.zeek | 11 +++++++++++ .../ftp/ftp-missing-space-after-reply-code.zeek | 11 +++++++++++ 15 files changed, 138 insertions(+) create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/conn.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/dpd.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/ftp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/conn.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/dpd.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/ftp.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/conn.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/dpd.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/ftp.log create mode 100644 testing/btest/Traces/ftp/ftp-invalid-reply-code.pcap create mode 100644 testing/btest/Traces/ftp/ftp-missing-reply-code.pcap create mode 100644 testing/btest/Traces/ftp/ftp-missing-space-after-reply-code.pcap create mode 100644 testing/btest/scripts/base/protocols/ftp/ftp-invalid-reply-code.zeek create mode 100644 testing/btest/scripts/base/protocols/ftp/ftp-missing-reply-code.zeek create mode 100644 testing/btest/scripts/base/protocols/ftp/ftp-missing-space-after-reply-code.zeek diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/conn.log new file mode 100644 index 0000000000..dd5edb3ab7 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51354 127.0.0.1 21 tcp - 9.891089 34 71 SF - - 0 ShAdDaFf 13 718 10 599 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/dpd.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/dpd.log new file mode 100644 index 0000000000..4efd80fa0f --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/dpd.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dpd +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason +#types time string addr port addr port enum string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51354 127.0.0.1 21 tcp FTP non-numeric reply code [99 PASV invalid] +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/ftp.log new file mode 100644 index 0000000000..cd149015f5 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/ftp.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ftp +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p fuid +#types time string addr port addr port string string string string string count count string bool addr addr port string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51354 127.0.0.1 21 zeek - USER zeek - - 230 USER OK - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51354 127.0.0.1 21 zeek PASS zeek - - 230 PASS OK - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51354 127.0.0.1 21 zeek PASV - - - 230 PASS OK - - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/conn.log new file mode 100644 index 0000000000..f8ad05cb2d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51344 127.0.0.1 21 tcp - 10.862185 34 74 SF - - 0 ShAdDaFf 13 718 10 602 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/dpd.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/dpd.log new file mode 100644 index 0000000000..f0301d0f7d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/dpd.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dpd +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason +#types time string addr port addr port enum string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51344 127.0.0.1 21 tcp FTP non-numeric reply code [SYST not supported] +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/ftp.log new file mode 100644 index 0000000000..f14e2c92ab --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/ftp.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ftp +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p fuid +#types time string addr port addr port string string string string string count count string bool addr addr port string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51344 127.0.0.1 21 zeek - USER zeek - - 230 USER OK - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51344 127.0.0.1 21 zeek PASS zeek - - 230 PASS OK - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51344 127.0.0.1 21 zeek SYST - - - 230 PASS OK - - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/conn.log new file mode 100644 index 0000000000..b3cbeecb64 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/conn.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51346 127.0.0.1 21 tcp - 11.705309 34 68 SF - - 0 ShAdDaFf 13 718 10 596 - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/dpd.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/dpd.log new file mode 100644 index 0000000000..00876f2723 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/dpd.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path dpd +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto analyzer failure_reason +#types time string addr port addr port enum string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51346 127.0.0.1 21 tcp FTP invalid reply line [230_no_space] +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/ftp.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/ftp.log new file mode 100644 index 0000000000..bcc46520f9 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/ftp.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path ftp +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p user password command arg mime_type file_size reply_code reply_msg data_channel.passive data_channel.orig_h data_channel.resp_h data_channel.resp_p fuid +#types time string addr port addr port string string string string string count count string bool addr addr port string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51346 127.0.0.1 21 zeek - USER zeek - - 230 USER OK - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51346 127.0.0.1 21 zeek PASS zeek - - 230 PASS OK - - - - - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 51346 127.0.0.1 21 zeek RETR ftp://127.0.0.1/. - - 230 PASS OK - - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/ftp/ftp-invalid-reply-code.pcap b/testing/btest/Traces/ftp/ftp-invalid-reply-code.pcap new file mode 100644 index 0000000000000000000000000000000000000000..09de02ed0cd9385c3a6987c42e7592868980afd7 GIT binary patch literal 2031 zcmaLXUr1A77{~F~shh3lznUmg99rxmp>*bjrfri}+F@udg+R!a6P6*epqyncyQsUc z3y~!?GmSWz&_!V+k%0{g6%0fYTwO#ELfzO!#d@A+=aqBhcwTrR#XjeIehxpqdp=@d z8H}G~lCd=SVs!Y{`3pIj>;(K9ukvIu4`bEh6&G_Ef7SNEf501$GHYvN%WM3}m?633 z|H_ylBe|4e$TEBF#Wnc-wDfcn$}wG;F_f!cahX};(cN?6Gtj4F`N`(3qC$MHO2Q=4G-bpztaWiN~e;C=TRuQEr{Y z)<~g&4Q*444o9ib6+Y1J?+6H?fWIwlG2=td!b5bj!<1deAEL;fq3m(>L&iY-8#OX7 z^x{<>%65u9BvxyRkX`tZi?$FB(d6@-5_$rG4vQJ_%6mqgT-$mGWg@U`({1Xsc zyR%sxd=l^~4}Bo2#Ooy1Xo?X0`3Dy(tX_MG3u2osW^|{(-MUm7r6KlkSDtnSrd`I; z{x=(Lf!AJPMe$oWoB1FSukui-M|wo!4owkCm(Hoh%1T_eSqOGs_FoLPrJ{3s^rFQ+ z8e{Wc;$@h3jiM)1k0^Kw(Svg)y?G-f9_G>VFDxZO^ul*8I*VY2f|E`4r!8i5zs#GM z2rJ-K9vY)Y8ly3Ga#x;r4dz|Nzm{iSDqUxh!%-&Gh65>j`+`a5Hz(epWEZF95Ku?s$>Gg}bD8K$XynZ4AVlYc7 cx)UhwZ`TvWo78xOi}G71;H`h-TW=Qs19|YJ4*&oF literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/ftp/ftp-missing-reply-code.pcap b/testing/btest/Traces/ftp/ftp-missing-reply-code.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3f32d6aa73b3f73bcb39321b148f833fdbd0a12d GIT binary patch literal 2034 zcmaLXPe_w-9LMpWk2-ZR%|O&bc}zxsgtDbUVx}YAbPlUImzBAv?J=FD!!%QZq!~g5 z^AzF}v=yPmtQ}>iwP`) z@e_|TmIhz=UrYsx%ko$Y{28zIWV1%bYNOZdS-t5^*F*RRcvq%b!FFWnFaFIrA--|% zC1XNHd?Q21HoL7w#rXZS^zPS#90{-8ZpcU|9}mOiT2limivr^OzSXyxK#eL%D!rEW|~%)rYMU zMFRWrTrb*em1218M32-ji$k&$9J845AuaF_gX|lW9pDeqWQQobO8<}mi2G(UnHzfX zY7b?fk9L#jODRHjZ*qt-KMvvbG+q|RWx3yCM!Xg9y>pdD+T;Pp)lEX%k!2I+{+Z>u zh?n_MTu?Gu8+78;9?ES{nn)Z-DMId}lSxrR(RR90q~tbNB6t<}y@R8ET0`P|V&7#G zd@M#O_^FPUWC;G%lxwuFM4~sP2*Ix3T&(DWVCiCm$D{6x_z_30L9XJUHO4uv?mG(m z=40+wSc_Nmq3Cnw8tv;O@peiPa^*t3i2G79?u-0m;0^Y@No#a-Ufnkz_MN2QfS&IK z@%zyn=7diIUhSa|L`^h6;+2#l1Rp-b#p*S;wW80{>1nr^(JeogV^FFz(-8N$t4=!! z(-vas>a(P~?zUF1q1bsmhjl^^Ar5X!!!4P=0hxRz9xM+_%+*S9OfrU%(7v`%kTDNY|W;-R?$K(Y46KI1GdMNoC zr`6;V7$Jrue0;B``yqBD(@?xc;?Bu0Cwv6GAHTbIIH&*NL~7XJfy39-Zg literal 0 HcmV?d00001 diff --git a/testing/btest/Traces/ftp/ftp-missing-space-after-reply-code.pcap b/testing/btest/Traces/ftp/ftp-missing-space-after-reply-code.pcap new file mode 100644 index 0000000000000000000000000000000000000000..6c1f7c5bfc6bbde741fde92f65f7caceba069884 GIT binary patch literal 2028 zcmaLXT}V@59LMp;#daQepu#@qdw!06US61y zn2GTdi!qh~e;J+}?OHmV&FbOLc*SF83S;GptCCe_ZTH`V|A2R8g5}-W?kUHgoR(ti zAMP_InPTfE$!t{}*SqoGGcq%Gqx{=YW(?)>cU)$9D--T-Yi7_ZruW8H*K?9()VX}% zNH(j6C*c(jH6K^%sQC()_2vrDEn1GmcGjRVBi@TDwvHENvo@gciigBnZ63v?9WLsv z7Hrk_OKjs{LJXqlbe7orhKkO01_Sm>fzGo-vK1e)3=c8LuBYtF{2@YiK4mW^JtTMy z#Je^dQ=u2Hcqsdn(m-M`r3l#_7A}SdAv@USRXq0LKp-ev5&r~u`dn=R@%J{4>zm}m zCN9kV@kqqOgD4i}+L#+U@rs9XtF#v+(&r4-BoT727AM4z>Ie@ykCoUd+1(HiZUjDk zu+m6tgm|#NuM0jFg%o@{i4Wa?;Nr)!(Y`8)=TnLhTsz9eu}ugLHCK7P`o4(w1D-xt zdr51^9M{(|08~<4OG1Ef7t+EX)O;1ia#*55!5uP2z==A_V96aWT>k!CM}s)gxQc ztpPWEsrH(t-NRjd+ESR-hov8*q8n*PF_2|p&5(#!JXBh(Ez-1qQ;Jaf9KK!SUpWz< z>WH+%wEmu6|3F`7S0G+I0)F~prJ0ua|7+L>+tyI=gCySP#Z!0cB zvHXXN(K0CZwY1f>%2ssuO<7n2On_HBv_ysWhPGwg)wivIZTWG$&fOzJqq39*CC#9GxvDpnS&J}R+;WHyq zdrPlx=A!=kD!hJ&2I9;wQJgEl#xI7V(n^gNxv0N&2fTF?zV*z{gm_4G%oY3tySv6U literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-invalid-reply-code.zeek b/testing/btest/scripts/base/protocols/ftp/ftp-invalid-reply-code.zeek new file mode 100644 index 0000000000..6f154784d5 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ftp/ftp-invalid-reply-code.zeek @@ -0,0 +1,11 @@ +# @TEST-DOC: Th server replies with a line that does not contain a numeric code.: violation. +# @TEST-EXEC: zeek -b -r $TRACES/ftp/ftp-invalid-reply-code.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ftp.log +# @TEST-EXEC: btest-diff dpd.log +# @TEST-EXEC: test ! -f reporter.log + +@load base/protocols/conn +@load base/protocols/ftp + +redef FTP::logged_commands += { "USER", "PASS", "SYST", "QUIT" }; diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-missing-reply-code.zeek b/testing/btest/scripts/base/protocols/ftp/ftp-missing-reply-code.zeek new file mode 100644 index 0000000000..5459984174 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ftp/ftp-missing-reply-code.zeek @@ -0,0 +1,11 @@ +# @TEST-DOC: Th server replies with a line that does not contain a numeric code.: violation. +# @TEST-EXEC: zeek -b -r $TRACES/ftp/ftp-missing-reply-code.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ftp.log +# @TEST-EXEC: btest-diff dpd.log +# @TEST-EXEC: test ! -f reporter.log + +@load base/protocols/conn +@load base/protocols/ftp + +redef FTP::logged_commands += { "USER", "PASS", "SYST", "QUIT" }; diff --git a/testing/btest/scripts/base/protocols/ftp/ftp-missing-space-after-reply-code.zeek b/testing/btest/scripts/base/protocols/ftp/ftp-missing-space-after-reply-code.zeek new file mode 100644 index 0000000000..ca0f2b78dd --- /dev/null +++ b/testing/btest/scripts/base/protocols/ftp/ftp-missing-space-after-reply-code.zeek @@ -0,0 +1,11 @@ +# @TEST-DOC: Th server replies with a line that does not contain a numeric code.: violation. +# @TEST-EXEC: zeek -b -r $TRACES/ftp/ftp-missing-space-after-reply-code.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff ftp.log +# @TEST-EXEC: btest-diff dpd.log +# @TEST-EXEC: test ! -f reporter.log + +@load base/protocols/conn +@load base/protocols/ftp + +redef FTP::logged_commands += { "USER", "PASS", "SYST", "QUIT" };