23338889526

Committed 20 Mar 2026 10:29AM UTC coverage: 76.331% (-3.0%) from 79.315%

Build # 23338889526

Build Type

Pull #15053

github

Committed by

web-flow

Commit Message

Merge 00ac1dd14 into 6587e363a

Pull Request Pull Request #15053: Flow queue/v3

Coverage Stats

106 of 127 new or added lines in 8 files covered. (83.46%)

9913 existing lines in 468 files now uncovered.

255689 of 334972 relevant lines covered (76.33%)

4170649.82 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

88.24

/src/detect-ftp-command.c

/* Copyright (C) 2025 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 *
 * \author Jeff Lucovsky <jlucovsky@oisf.net>
 *
 * Implements the ftp.command sticky buffer
 *
 */

#include "suricata-common.h"
#include "detect.h"

#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-buffer.h"
#include "detect-engine-helper.h"

#include "flow.h"

#include "app-layer.h"
#include "app-layer-ftp.h"

#include "detect-ftp-command.h"

#define KEYWORD_NAME "ftp.command"
#define KEYWORD_DOC  "ftp-keywords.html#ftp-command"
#define BUFFER_NAME  "ftp.command"
#define BUFFER_DESC  "ftp command"

static int g_ftp_cmd_buffer_id = 0;

static int DetectFtpCommandSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    if (SCDetectBufferSetActiveList(de_ctx, s, g_ftp_cmd_buffer_id) < 0)
        return -1;

    if (SCDetectSignatureSetAppProto(s, ALPROTO_FTP) < 0)
        return -1;

    return 0;
}

static bool DetectFTPCommandGetData(
        const void *txv, const uint8_t _flow_flags, const uint8_t **buffer, uint32_t *buffer_len)
{
    FTPTransaction *tx = (FTPTransaction *)txv;

    if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN)
        return false;

    uint8_t b_len = 0;
    if (SCGetFtpCommandInfo(
                tx->command_descriptor.command_index, (const char **)buffer, NULL, &b_len)) {
        *buffer_len = b_len;
        return true;
    } else {
        return false;
    }
}

void DetectFtpCommandRegister(void)
{
    /* ftp.command sticky buffer */
    sigmatch_table[DETECT_FTP_COMMAND].name = KEYWORD_NAME;
    sigmatch_table[DETECT_FTP_COMMAND].desc = "sticky buffer to match on the FTP command buffer";
    sigmatch_table[DETECT_FTP_COMMAND].url = "/rules/" KEYWORD_DOC;
    sigmatch_table[DETECT_FTP_COMMAND].Setup = DetectFtpCommandSetup;
    sigmatch_table[DETECT_FTP_COMMAND].flags |= SIGMATCH_NOOPT;

    g_ftp_cmd_buffer_id = SCDetectHelperBufferMpmRegister(
            BUFFER_NAME, BUFFER_DESC, ALPROTO_FTP, STREAM_TOSERVER, DetectFTPCommandGetData);

    SCLogDebug("registering " BUFFER_NAME " rule option");
}

1	/* Copyright (C) 2025 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	/**
19	*
20	* \author Jeff Lucovsky <jlucovsky@oisf.net>
21	*
22	* Implements the ftp.command sticky buffer
23	*
24	*/
25
26	#include "suricata-common.h"
27	#include "detect.h"
28
29	#include "detect-parse.h"
30	#include "detect-engine.h"
31	#include "detect-engine-buffer.h"
32	#include "detect-engine-helper.h"
33
34	#include "flow.h"
35
36	#include "app-layer.h"
37	#include "app-layer-ftp.h"
38
39	#include "detect-ftp-command.h"
40
41	#define KEYWORD_NAME "ftp.command"	2,216✔
42	#define KEYWORD_DOC "ftp-keywords.html#ftp-command"	2,216✔
43	#define BUFFER_NAME "ftp.command"	2,216✔
44	#define BUFFER_DESC "ftp command"	2,216✔
45
46	static int g_ftp_cmd_buffer_id = 0;
47
48	static int DetectFtpCommandSetup(DetectEngineCtx de_ctx, Signature s, const char *str)
49	{	14✔
50	if (SCDetectBufferSetActiveList(de_ctx, s, g_ftp_cmd_buffer_id) < 0)	14✔
UNCOV 51	return -1;	×
52
53	if (SCDetectSignatureSetAppProto(s, ALPROTO_FTP) < 0)	14✔
UNCOV 54	return -1;	×
55
56	return 0;	14✔
57	}	14✔
58
59	static bool DetectFTPCommandGetData(
60	const void txv, const uint8_t _flow_flags, const uint8_t buffer, uint32_t buffer_len)
61	{	10✔
62	FTPTransaction tx = (FTPTransaction )txv;	10✔
63
64	if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN)	10✔
65	return false;	1✔
66
67	uint8_t b_len = 0;	9✔
68	if (SCGetFtpCommandInfo(	9✔
69	tx->command_descriptor.command_index, (const char **)buffer, NULL, &b_len)) {	9✔
70	*buffer_len = b_len;	9✔
71	return true;	9✔
72	} else {	9✔
73	return false;	×
74	}	×
75	}	9✔
76
77	void DetectFtpCommandRegister(void)
78	{	2,216✔
79	/* ftp.command sticky buffer */
80	sigmatch_table[DETECT_FTP_COMMAND].name = KEYWORD_NAME;	2,216✔
81	sigmatch_table[DETECT_FTP_COMMAND].desc = "sticky buffer to match on the FTP command buffer";	2,216✔
82	sigmatch_table[DETECT_FTP_COMMAND].url = "/rules/" KEYWORD_DOC;	2,216✔
83	sigmatch_table[DETECT_FTP_COMMAND].Setup = DetectFtpCommandSetup;	2,216✔
84	sigmatch_table[DETECT_FTP_COMMAND].flags \|= SIGMATCH_NOOPT;	2,216✔
85
86	g_ftp_cmd_buffer_id = SCDetectHelperBufferMpmRegister(	2,216✔
87	BUFFER_NAME, BUFFER_DESC, ALPROTO_FTP, STREAM_TOSERVER, DetectFTPCommandGetData);	2,216✔
88
89	SCLogDebug("registering " BUFFER_NAME " rule option");	2,216✔
90	}	2,216✔

OISF / suricata / 23338889526

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous