tests: add test cases for bug 8489#3041
Open
jlucovsky wants to merge 1 commit intoOISF:masterfrom
Open
Conversation
jufajardini
added
the
requires suricata fix
jufajardini
reviewed
Apr 22, 2026
Contributor
jufajardini
left a comment
jufajardini
left a comment
There was a problem hiding this comment.
It looks good to me -- I did miss README files to explain the .syn and Makefile files, but overall, from the explanation, it looks good.
I labeled it as requiring a fix as I didn't see a Suricata PR yet.
| @@ -0,0 +1,5 @@ | |||
| # response rule is required to keep Suricata's to_client FTP parsing active | |||
| # so responses complete pending transactions; without it the max-tx check | |||
| # does not fire in the to_server direction. | |||
Contributor
There was a problem hiding this comment.
I wonder if running inline would make it possible to alert on sid 3 without sid 2...
catenacyber
added
requires suricata pr
Issue: 8489 Three test cases: - bug-8489-01: two commands with max-tx=1 (limit exceeded) raises the too_many_transactions anomaly and fires the corresponding alert. - bug-8489-02: six commands under max-tx=10 raise no anomaly and no alert (negative regression). - bug-8489-03: burst of commands exceeding the limit followed by a new command after a server response — verifies the flow keeps parsing after the event fires, so later commands are still logged. Each test has a response_command_too_long rule alongside the too_many_transactions rule so the to_client FTP parsing path stays active; without a to_client app-layer-event signature Suricata skips response parsing and the max-tx check does not fire.
victorjulien
approved these changes
May 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue: 8489
Three test cases:
Each test has a response_command_too_long rule alongside the too_many_transactions rule so the to_client FTP parsing path stays active; without a to_client app-layer-event signature Suricata skips response parsing and the max-tx check does not fire.
Ticket
If your pull request is related to a Suricata ticket, please provide
the full URL to the ticket here so this pull request can monitor
changes to the ticket status:
Redmine ticket: https://redmine.openinfosecfoundation.org/issues/8489