diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst index 2386b29643..8e4ccbee63 100644 --- a/doc/userguide/rules/ftp-keywords.rst +++ b/doc/userguide/rules/ftp-keywords.rst @@ -160,6 +160,39 @@ Example rules combining ``ftp.dynamic_port`` with ``ftp.command`` alert ftp any any -> any any (ftp.command; content: "EPSV"; :example-rule-options:`ftp.dynamic_port: 58612;` sid: 1;) +ftp.mode +-------- + +This keyword matches on whether the FTP session is dynamic or passive. +In `active` mode sessions, the server establishes the data channel. +In `passive` mode, the client establishes the data channel. Active +mode sessions are established in part with the ``PORT`` (``EPRT`` for IPv6) +command; passive mode sessions use ``PASV`` (``EPSV`` for IPv6). + +Syntax:: + + ftp.mode: active|passive; + +Signature Example: + +.. container:: example-rule + + alert ftp any any -> any any (:example-rule-options:`ftp.mode: active;` sid: 1;) + +.. container:: example-rule + + alert ftp any any -> any any (:example-rule-options:`ftp.mode: passive;` sid: 1;) + +Example rules combining ``ftp.command`` with ``ftp.mode`` + +.. container:: example-rule + + alert ftp any any -> any any (ftp.command; content: "PORT"; :example-rule-options:`ftp.mode: active;` sid:1;) + +.. container:: example-rule + + alert ftp any any -> any any (ftp.command; content: "PASV"; :example-rule-options:`ftp.mode: passive;` sid:1;) + ftp.reply --------- @@ -170,7 +203,6 @@ include the completion code in the `content` to match upon (see examples). Syntax:: ftp.reply; content: ; - alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Please specify the password.";` sid: 1;) .. note :: FTP commands can return multiple reply strings. Specify a single reply for each ``ftp.reply`` keyword. @@ -184,6 +216,10 @@ This example shows an FTP command (``RETR``) followed by an FTP reply with multi Signature Example: +.. container:: example-rule + + alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Please specify the password.";` sid: 1;) + .. container:: example-rule alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Opening BINARY mode data connection for temp.";` sid: 1;)