|
|
|
|
@ -113,6 +113,53 @@ Example rules for each of the preceding FTP commands and command data.
|
|
|
|
|
|
|
|
|
|
alert ftp any any -> any any (:example-rule-options:`ftp.command_data; content:"192,168,0,13,234,10";` sid: 3;)
|
|
|
|
|
|
|
|
|
|
ftp.dynamic_port
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
This keyword matches on the dynamic port negotiated during an FTP session with
|
|
|
|
|
the following FTP commands:
|
|
|
|
|
|
|
|
|
|
* IPv4: ``PORT`` and ``EPRT``
|
|
|
|
|
* IPv6: ``PASV`` and ``EPSV``
|
|
|
|
|
|
|
|
|
|
Syntax::
|
|
|
|
|
|
|
|
|
|
ftp.dynamic_port: <port-spec>;
|
|
|
|
|
|
|
|
|
|
``port-spec`` can be one of the following:
|
|
|
|
|
|
|
|
|
|
* ``>`` (greater than)
|
|
|
|
|
* ``<`` (less than)
|
|
|
|
|
* ``>=`` (greater than or equal)
|
|
|
|
|
* ``<=`` (less than or equal)
|
|
|
|
|
* ``arg1-arg2`` (exclusive range)
|
|
|
|
|
|
|
|
|
|
Signature Example:
|
|
|
|
|
|
|
|
|
|
.. container:: example-rule
|
|
|
|
|
|
|
|
|
|
alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: 59914;` sid: 1;)
|
|
|
|
|
|
|
|
|
|
These rules are will also alert on port ``59914``:
|
|
|
|
|
|
|
|
|
|
.. container:: example-rule
|
|
|
|
|
|
|
|
|
|
alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: 59913-59915;` sid: 1;)
|
|
|
|
|
|
|
|
|
|
.. container:: example-rule
|
|
|
|
|
|
|
|
|
|
alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: =59914;` sid: 1;)
|
|
|
|
|
|
|
|
|
|
Example rules combining ``ftp.dynamic_port`` with ``ftp.command``
|
|
|
|
|
|
|
|
|
|
.. container:: example-rule
|
|
|
|
|
|
|
|
|
|
alert ftp any any -> any any (ftp.command; content: "PORT"; :example-rule-options:`ftp.dynamic_port: 59914;` sid: 1;)
|
|
|
|
|
|
|
|
|
|
.. container:: example-rule
|
|
|
|
|
|
|
|
|
|
alert ftp any any -> any any (ftp.command; content: "EPSV"; :example-rule-options:`ftp.dynamic_port: 58612;` sid: 1;)
|
|
|
|
|
|
|
|
|
|
ftp.reply
|
|
|
|
|
---------
|
|
|
|
|
|
|
|
|
|
|
Jeff Lucovsky
3 months ago
committed by
Victor Julien