23350763619

Committed 20 Mar 2026 03:49PM UTC coverage: 76.429% (-2.9%) from 79.315%

Build # 23350763619

Build Type

Pull #15029

github

Committed by

web-flow

Commit Message

Merge 5fca25ef1 into 6587e363a

Pull Request Pull Request #15029: Fw updates/v5

Coverage Stats

379 of 449 new or added lines in 26 files covered. (84.41%)

13267 existing lines in 297 files now uncovered.

244170 of 319471 relevant lines covered (76.43%)

3147764.06 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

57.14

/src/detect-ftp-command-data.c

/* Copyright (C) 2025 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 *
 * \author Jeff Lucovsky <jlucovsky@oisf.net>
 *
 * Implements the ftp.command_data sticky buffer
 *
 */

#include "suricata-common.h"
#include "detect.h"

#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-buffer.h"
#include "detect-engine-mpm.h"
#include "detect-engine-prefilter.h"
#include "detect-engine-helper.h"
#include "detect-content.h"

#include "flow.h"

#include "util-debug.h"

#include "app-layer.h"
#include "app-layer-ftp.h"

#include "detect-ftp-command-data.h"

#define KEYWORD_NAME "ftp.command_data"
#define KEYWORD_DOC  "ftp-keywords.html#ftp-command_data"
#define BUFFER_NAME  "ftp.command_data"
#define BUFFER_DESC  "ftp command_data"

static int g_ftp_cmd_data_buffer_id = 0;

static int DetectFtpCommandDataSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    if (SCDetectBufferSetActiveList(de_ctx, s, g_ftp_cmd_data_buffer_id) < 0)
        return -1;

    if (SCDetectSignatureSetAppProto(s, ALPROTO_FTP) < 0)
        return -1;

    return 0;
}

static bool DetectFTPCommandDataGetData(
        const void *txv, const uint8_t _flow_flags, const uint8_t **buffer, uint32_t *buffer_len)
{
    FTPTransaction *tx = (FTPTransaction *)txv;

    if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN)
        return false;

    const char *b;
    uint8_t b_len;
    if (SCGetFtpCommandInfo(tx->command_descriptor.command_index, &b, NULL, &b_len)) {
        if ((tx->request_length - b_len - 1) > 0) {
            // command data starts here: advance past command + 1 space
            *buffer = tx->request + b_len + 1;
            *buffer_len = tx->request_length - b_len - 1;
            SCLogDebug("command data: \"%s\" [bytes %d]", *buffer, *buffer_len);
            return true;
        }
    }

    *buffer = NULL;
    *buffer_len = 0;
    return false;
}

void DetectFtpCommandDataRegister(void)
{
    /* ftp.command sticky buffer */
    sigmatch_table[DETECT_FTP_COMMAND_DATA].name = KEYWORD_NAME;
    sigmatch_table[DETECT_FTP_COMMAND_DATA].desc =
            "sticky buffer to match on the FTP command data buffer";
    sigmatch_table[DETECT_FTP_COMMAND_DATA].url = "/rules/" KEYWORD_DOC;
    sigmatch_table[DETECT_FTP_COMMAND_DATA].Setup = DetectFtpCommandDataSetup;
    sigmatch_table[DETECT_FTP_COMMAND_DATA].flags |= SIGMATCH_NOOPT;

    SCDetectHelperBufferMpmRegister(
            BUFFER_NAME, BUFFER_DESC, ALPROTO_FTP, STREAM_TOSERVER, DetectFTPCommandDataGetData);

    DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);

    g_ftp_cmd_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);

    SCLogDebug("registering " BUFFER_NAME " rule option");
}

1	/* Copyright (C) 2025 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	/**
19	*
20	* \author Jeff Lucovsky <jlucovsky@oisf.net>
21	*
22	* Implements the ftp.command_data sticky buffer
23	*
24	*/
25
26	#include "suricata-common.h"
27	#include "detect.h"
28
29	#include "detect-parse.h"
30	#include "detect-engine.h"
31	#include "detect-engine-buffer.h"
32	#include "detect-engine-mpm.h"
33	#include "detect-engine-prefilter.h"
34	#include "detect-engine-helper.h"
35	#include "detect-content.h"
36
37	#include "flow.h"
38
39	#include "util-debug.h"
40
41	#include "app-layer.h"
42	#include "app-layer-ftp.h"
43
44	#include "detect-ftp-command-data.h"
45
46	#define KEYWORD_NAME "ftp.command_data"	34✔
47	#define KEYWORD_DOC "ftp-keywords.html#ftp-command_data"	34✔
48	#define BUFFER_NAME "ftp.command_data"	102✔
49	#define BUFFER_DESC "ftp command_data"	68✔
50
51	static int g_ftp_cmd_data_buffer_id = 0;
52
53	static int DetectFtpCommandDataSetup(DetectEngineCtx de_ctx, Signature s, const char *str)
54	{	160✔
55	if (SCDetectBufferSetActiveList(de_ctx, s, g_ftp_cmd_data_buffer_id) < 0)	160✔
56	return -1;	1✔
57
58	if (SCDetectSignatureSetAppProto(s, ALPROTO_FTP) < 0)	159✔
59	return -1;	1✔
60
61	return 0;	158✔
62	}	159✔
63
64	static bool DetectFTPCommandDataGetData(
65	const void txv, const uint8_t _flow_flags, const uint8_t buffer, uint32_t buffer_len)
UNCOV 66	{	×
UNCOV 67	FTPTransaction tx = (FTPTransaction )txv;	×
68
UNCOV 69	if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN)	×
UNCOV 70	return false;	×
71
UNCOV 72	const char *b;	×
UNCOV 73	uint8_t b_len;	×
UNCOV 74	if (SCGetFtpCommandInfo(tx->command_descriptor.command_index, &b, NULL, &b_len)) {	×
UNCOV 75	if ((tx->request_length - b_len - 1) > 0) {	×
76	// command data starts here: advance past command + 1 space
UNCOV 77	*buffer = tx->request + b_len + 1;	×
UNCOV 78	*buffer_len = tx->request_length - b_len - 1;	×
UNCOV 79	SCLogDebug("command data: \"%s\" [bytes %d]", buffer, buffer_len);	×
UNCOV 80	return true;	×
UNCOV 81	}	×
UNCOV 82	}	×
83
UNCOV 84	*buffer = NULL;	×
UNCOV 85	*buffer_len = 0;	×
UNCOV 86	return false;	×
UNCOV 87	}	×
88
89	void DetectFtpCommandDataRegister(void)
90	{	34✔
91	/* ftp.command sticky buffer */
92	sigmatch_table[DETECT_FTP_COMMAND_DATA].name = KEYWORD_NAME;	34✔
93	sigmatch_table[DETECT_FTP_COMMAND_DATA].desc =	34✔
94	"sticky buffer to match on the FTP command data buffer";	34✔
95	sigmatch_table[DETECT_FTP_COMMAND_DATA].url = "/rules/" KEYWORD_DOC;	34✔
96	sigmatch_table[DETECT_FTP_COMMAND_DATA].Setup = DetectFtpCommandDataSetup;	34✔
97	sigmatch_table[DETECT_FTP_COMMAND_DATA].flags \|= SIGMATCH_NOOPT;	34✔
98
99	SCDetectHelperBufferMpmRegister(	34✔
100	BUFFER_NAME, BUFFER_DESC, ALPROTO_FTP, STREAM_TOSERVER, DetectFTPCommandDataGetData);	34✔
101
102	DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);	34✔
103
104	g_ftp_cmd_data_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);	34✔
105
106	SCLogDebug("registering " BUFFER_NAME " rule option");	34✔
107	}	34✔

OISF / suricata / 23350763619

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous