23374838686

Committed 21 Mar 2026 07:29AM UTC coverage: 59.341% (-20.0%) from 79.315%

Build # 23374838686

Build Type

Pull #15075

github

Committed by

web-flow

Commit Message

Merge 90b4e834f into 6587e363a

Pull Request Pull Request #15075: Stack 8001 v16.4

Coverage Stats

38 of 70 new or added lines in 10 files covered. (54.29%)

34165 existing lines in 563 files now uncovered.

119621 of 201584 relevant lines covered (59.34%)

650666.92 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

61.76

/src/detect-ftp-command.c

/* Copyright (C) 2025 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 *
 * \author Jeff Lucovsky <jlucovsky@oisf.net>
 *
 * Implements the ftp.command sticky buffer
 *
 */

#include "suricata-common.h"
#include "detect.h"

#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-buffer.h"
#include "detect-engine-helper.h"

#include "flow.h"

#include "app-layer.h"
#include "app-layer-ftp.h"

#include "detect-ftp-command.h"

#define KEYWORD_NAME "ftp.command"
#define KEYWORD_DOC  "ftp-keywords.html#ftp-command"
#define BUFFER_NAME  "ftp.command"
#define BUFFER_DESC  "ftp command"

static int g_ftp_cmd_buffer_id = 0;

static int DetectFtpCommandSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
    if (SCDetectBufferSetActiveList(de_ctx, s, g_ftp_cmd_buffer_id) < 0)
        return -1;

    if (SCDetectSignatureSetAppProto(s, ALPROTO_FTP) < 0)
        return -1;

    return 0;
}

static bool DetectFTPCommandGetData(
        const void *txv, const uint8_t _flow_flags, const uint8_t **buffer, uint32_t *buffer_len)
{
    FTPTransaction *tx = (FTPTransaction *)txv;

    if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN)
        return false;

    uint8_t b_len = 0;
    if (SCGetFtpCommandInfo(
                tx->command_descriptor.command_index, (const char **)buffer, NULL, &b_len)) {
        *buffer_len = b_len;
        return true;
    } else {
        return false;
    }
}

void DetectFtpCommandRegister(void)
{
    /* ftp.command sticky buffer */
    sigmatch_table[DETECT_FTP_COMMAND].name = KEYWORD_NAME;
    sigmatch_table[DETECT_FTP_COMMAND].desc = "sticky buffer to match on the FTP command buffer";
    sigmatch_table[DETECT_FTP_COMMAND].url = "/rules/" KEYWORD_DOC;
    sigmatch_table[DETECT_FTP_COMMAND].Setup = DetectFtpCommandSetup;
    sigmatch_table[DETECT_FTP_COMMAND].flags |= SIGMATCH_NOOPT;

    g_ftp_cmd_buffer_id = SCDetectHelperBufferMpmRegister(
            BUFFER_NAME, BUFFER_DESC, ALPROTO_FTP, STREAM_TOSERVER, DetectFTPCommandGetData);

    SCLogDebug("registering " BUFFER_NAME " rule option");
}

1	/* Copyright (C) 2025 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	/**
19	*
20	* \author Jeff Lucovsky <jlucovsky@oisf.net>
21	*
22	* Implements the ftp.command sticky buffer
23	*
24	*/
25
26	#include "suricata-common.h"
27	#include "detect.h"
28
29	#include "detect-parse.h"
30	#include "detect-engine.h"
31	#include "detect-engine-buffer.h"
32	#include "detect-engine-helper.h"
33
34	#include "flow.h"
35
36	#include "app-layer.h"
37	#include "app-layer-ftp.h"
38
39	#include "detect-ftp-command.h"
40
41	#define KEYWORD_NAME "ftp.command"	3✔
42	#define KEYWORD_DOC "ftp-keywords.html#ftp-command"	3✔
43	#define BUFFER_NAME "ftp.command"	3✔
44	#define BUFFER_DESC "ftp command"	3✔
45
46	static int g_ftp_cmd_buffer_id = 0;
47
48	static int DetectFtpCommandSetup(DetectEngineCtx de_ctx, Signature s, const char *str)
49	{	72✔
50	if (SCDetectBufferSetActiveList(de_ctx, s, g_ftp_cmd_buffer_id) < 0)	72✔
51	return -1;	1✔
52
53	if (SCDetectSignatureSetAppProto(s, ALPROTO_FTP) < 0)	71✔
54	return -1;	1✔
55
56	return 0;	70✔
57	}	71✔
58
59	static bool DetectFTPCommandGetData(
60	const void txv, const uint8_t _flow_flags, const uint8_t buffer, uint32_t buffer_len)
UNCOV 61	{	×
UNCOV 62	FTPTransaction tx = (FTPTransaction )txv;	×
63
UNCOV 64	if (tx->command_descriptor.command_code == FTP_COMMAND_UNKNOWN)	×
UNCOV 65	return false;	×
66
UNCOV 67	uint8_t b_len = 0;	×
UNCOV 68	if (SCGetFtpCommandInfo(	×
UNCOV 69	tx->command_descriptor.command_index, (const char **)buffer, NULL, &b_len)) {	×
UNCOV 70	*buffer_len = b_len;	×
UNCOV 71	return true;	×
UNCOV 72	} else {	×
73	return false;	×
74	}	×
UNCOV 75	}	×
76
77	void DetectFtpCommandRegister(void)
78	{	3✔
79	/* ftp.command sticky buffer */
80	sigmatch_table[DETECT_FTP_COMMAND].name = KEYWORD_NAME;	3✔
81	sigmatch_table[DETECT_FTP_COMMAND].desc = "sticky buffer to match on the FTP command buffer";	3✔
82	sigmatch_table[DETECT_FTP_COMMAND].url = "/rules/" KEYWORD_DOC;	3✔
83	sigmatch_table[DETECT_FTP_COMMAND].Setup = DetectFtpCommandSetup;	3✔
84	sigmatch_table[DETECT_FTP_COMMAND].flags \|= SIGMATCH_NOOPT;	3✔
85
86	g_ftp_cmd_buffer_id = SCDetectHelperBufferMpmRegister(	3✔
87	BUFFER_NAME, BUFFER_DESC, ALPROTO_FTP, STREAM_TOSERVER, DetectFTPCommandGetData);	3✔
88
89	SCLogDebug("registering " BUFFER_NAME " rule option");	3✔
90	}	3✔

OISF / suricata / 23374838686

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous