diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst index 2627565de0..98a14f879a 100644 --- a/doc/userguide/rules/ftp-keywords.rst +++ b/doc/userguide/rules/ftp-keywords.rst @@ -49,7 +49,7 @@ For additional information on the ``file.name`` keyword, see :doc:`file-keywords ftp.command ----------- -This keyword matches on the command name from a FTP client request. ``ftp.command`` +This keyword matches on the command name from an FTP client request. ``ftp.command`` is a sticky buffer and can be used as a fast pattern. Syntax:: @@ -95,7 +95,6 @@ examples:: RETR temp.txt PORT 192,168,0,13,234,10 - Example rules for each of the preceding FTP commands and command data. .. container:: example-rule @@ -114,3 +113,34 @@ Example rules for each of the preceding FTP commands and command data. alert ftp any any -> any any (:example-rule-options:`ftp.command_data; content:"192,168,0,13,234,10";` sid: 3;) +ftp.reply +--------- + +This keyword matches on an FTP reply string. Note that there may be multiple reply strings for +an FTP command. ``ftp.reply`` is a sticky buffer and can be used as a fast pattern. Do not +include the completion code in the `content` to match upon (see examples). + +Syntax:: + + ftp.reply; content: ; + alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Please specify the password.";` sid: 1;) + +.. note :: + FTP commands can return multiple reply strings. Specify a single reply for each ``ftp.reply`` keyword. + +This example shows an FTP command (``RETR``) followed by an FTP reply with multiple response strings. +:: + + RETR temp.txt + 150 Opening BINARY mode data connection for temp.txt (1164 bytes). + 226 Transfer complete. + +Signature Example: + +.. container:: example-rule + + alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Opening BINARY mode data connection for temp.";` sid: 1;) + +.. container:: example-rule + + alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Transfer complete.";` sid: 2;)