From ff59f215d6cd6db22b3fd9c5e0012baaaa0ad82b Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Sat, 19 Apr 2025 09:49:45 -0400 Subject: [PATCH] doc/ftp: Document ftp.dynamic_port keyword Document the sticky buffer for ftp.dynamic_port --- doc/userguide/rules/ftp-keywords.rst | 47 ++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst index 98a14f879a..2386b29643 100644 --- a/doc/userguide/rules/ftp-keywords.rst +++ b/doc/userguide/rules/ftp-keywords.rst @@ -113,6 +113,53 @@ Example rules for each of the preceding FTP commands and command data. alert ftp any any -> any any (:example-rule-options:`ftp.command_data; content:"192,168,0,13,234,10";` sid: 3;) +ftp.dynamic_port +---------------- + +This keyword matches on the dynamic port negotiated during an FTP session with +the following FTP commands: + +* IPv4: ``PORT`` and ``EPRT`` +* IPv6: ``PASV`` and ``EPSV`` + +Syntax:: + + ftp.dynamic_port: ; + +``port-spec`` can be one of the following: + +* ``>`` (greater than) +* ``<`` (less than) +* ``>=`` (greater than or equal) +* ``<=`` (less than or equal) +* ``arg1-arg2`` (exclusive range) + +Signature Example: + +.. container:: example-rule + + alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: 59914;` sid: 1;) + +These rules are will also alert on port ``59914``: + +.. container:: example-rule + + alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: 59913-59915;` sid: 1;) + +.. container:: example-rule + + alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: =59914;` sid: 1;) + +Example rules combining ``ftp.dynamic_port`` with ``ftp.command`` + +.. container:: example-rule + + alert ftp any any -> any any (ftp.command; content: "PORT"; :example-rule-options:`ftp.dynamic_port: 59914;` sid: 1;) + +.. container:: example-rule + + alert ftp any any -> any any (ftp.command; content: "EPSV"; :example-rule-options:`ftp.dynamic_port: 58612;` sid: 1;) + ftp.reply ---------