fix bro_ftp pattern

contrib/parsers/bro_ftp

@@ -3,27 +3,27 @@
   <rules>
     <rule provider="Security_Onion" class='26003' id=''>
       <patterns>
-        <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING::|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::@</pattern>
+        <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING::|@@ESTRING:i4:|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING::@</pattern>
       </patterns>
       <examples>
         <example>
-          <test_message program="bro_ftp">1374184393.495227|qoHLWssGGD1|172.16.2.92|55604|192.168.24.8|21|anonymous|chrome@example.com|RETR|ftp://172.16.2.90/files/doubletree.pdf|application/pdf|PDF document, version 1.4|748|226|Transfer complete.|-|-</test_message>
+          <test_message program="bro_ftp">1481292235.047413|CKDnGH1oOwkjKWnnAh|172.16.150.20|1367|66.32.119.38|21|jack|hidden|STOR|ftp://66.32.119.38/./1.txt|application/x-rar|-|226|Transfer complete.|-|-|-|-|FjZnCN1shh4C6dSLsj</test_message>
           <!-- srcip -->
-          <test_value name="i0">172.16.2.92</test_value>
+          <test_value name="i0">172.16.150.20</test_value>
           <!-- srcport -->
-          <test_value name="i1">55604</test_value>
+          <test_value name="i1">1367</test_value>
           <!-- dstip -->
-          <test_value name="i2">192.168.24.8</test_value>
+          <test_value name="i2">66.32.119.38</test_value>
           <!-- dstport -->
           <test_value name="i3">21</test_value>
           <!-- command -->
-          <test_value name="s0">RETR</test_value>
+          <test_value name="s0">STOR</test_value>
           <!-- arg -->
-          <test_value name="s1">ftp://172.16.2.90/files/doubletree.pdf</test_value>
+          <test_value name="s1">ftp://66.32.119.38/./1.txt</test_value>
           <!-- mime_type -->
-          <test_value name="s2">application/pdf</test_value>
+          <test_value name="s2">application/x-rar</test_value>
           <!-- file_size -->
-          <test_value name="i4">748</test_value>
+          <test_value name="i4">226</test_value>
           <!-- reply_msg -->
           <test_value name="s3">Transfer complete.</test_value>
         </example>

debian/changelog

@@ -1,3 +1,9 @@
+securityonion-elsa-extras (20151011-1ubuntu1securityonion47) trusty; urgency=medium
+
+  * fix bro_ftp pattern 
+
+ -- Doug Burks <doug.burks@gmail.com>  Fri, 09 Dec 2016 09:42:31 -0500
+
 securityonion-elsa-extras (20151011-1ubuntu1securityonion46) trusty; urgency=medium
 
   * update bro_ssh pattern for Bro 2.5 

debian/patches/fix-bro_ftp-pattern

@@ -0,0 +1,64 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-elsa-extras (20151011-1ubuntu1securityonion47) trusty; urgency=medium
+ .
+   * fix bro_ftp pattern
+Author: Doug Burks <doug.burks@gmail.com>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-elsa-extras-20151011.orig/contrib/parsers/bro_ftp
++++ securityonion-elsa-extras-20151011/contrib/parsers/bro_ftp
+@@ -3,27 +3,27 @@
+   <rules>
+     <rule provider="Security_Onion" class='26003' id=''>
+       <patterns>
+-        <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING::|@@ESTRING:i4:|@@ESTRING::|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::@</pattern>
++        <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING::|@@ESTRING:i4:|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING::@</pattern>
+       </patterns>
+       <examples>
+         <example>
+-          <test_message program="bro_ftp">1374184393.495227|qoHLWssGGD1|172.16.2.92|55604|192.168.24.8|21|anonymous|chrome@example.com|RETR|ftp://172.16.2.90/files/doubletree.pdf|application/pdf|PDF document, version 1.4|748|226|Transfer complete.|-|-</test_message>
++          <test_message program="bro_ftp">1481292235.047413|CKDnGH1oOwkjKWnnAh|172.16.150.20|1367|66.32.119.38|21|jack|hidden|STOR|ftp://66.32.119.38/./1.txt|application/x-rar|-|226|Transfer complete.|-|-|-|-|FjZnCN1shh4C6dSLsj</test_message>
+           <!-- srcip -->
+-          <test_value name="i0">172.16.2.92</test_value>
++          <test_value name="i0">172.16.150.20</test_value>
+           <!-- srcport -->
+-          <test_value name="i1">55604</test_value>
++          <test_value name="i1">1367</test_value>
+           <!-- dstip -->
+-          <test_value name="i2">192.168.24.8</test_value>
++          <test_value name="i2">66.32.119.38</test_value>
+           <!-- dstport -->
+           <test_value name="i3">21</test_value>
+           <!-- command -->
+-          <test_value name="s0">RETR</test_value>
++          <test_value name="s0">STOR</test_value>
+           <!-- arg -->
+-          <test_value name="s1">ftp://172.16.2.90/files/doubletree.pdf</test_value>
++          <test_value name="s1">ftp://66.32.119.38/./1.txt</test_value>
+           <!-- mime_type -->
+-          <test_value name="s2">application/pdf</test_value>
++          <test_value name="s2">application/x-rar</test_value>
+           <!-- file_size -->
+-          <test_value name="i4">748</test_value>
++          <test_value name="i4">226</test_value>
+           <!-- reply_msg -->
+           <test_value name="s3">Transfer complete.</test_value>
+         </example>

debian/patches/series

@@ -31,3 +31,4 @@ update-bro_http-pattern-for-Bro-2.5
 update-bro_intel-pattern-for-Bro-2.5
 update-bro_smtp-pattern-for-Bro-2.5
 update-bro_ssh-pattern-for-Bro-2.5
+fix-bro_ftp-pattern