doc/ftp: Document ftp.reply_received

Add documentation for the ftp.reply_received keyword.
7 months ago · aec2513799
parent 263d56fd11
commit aec2513799
1 changed files with 25 additions and 0 deletions
--- a/doc/userguide/rules/ftp-keywords.rst
+++ b/doc/userguide/rules/ftp-keywords.rst
@ -227,3 +227,28 @@ Signature Example:
 .. container:: example-rule

  alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Transfer complete.";` sid: 2;)
+
+ftp.reply_received
+------------------
+
+This keyword matches on whether an FTP reply string was received. EVE logs
+with the FTP event_type include a field named ``reply_received``. Use this
+keyword to alert when a reply is (is not) received. ``ftp.reply_received``
+is not a sticky buffer and uses a different syntax to express its value.
+
+.. note ::
+   Specify the match value without using quotes, e.g., use yes instead of "yes".
+
+Syntax::
+
+  ftp.reply_received: yes|on|true|1|no|off|false|0;
+
+Signature Example:
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.reply_received: yes;` sid: 1;)
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.reply_received: no;` sid: 1;)