mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
74 lines
1.4 KiB
ReStructuredText
74 lines
1.4 KiB
ReStructuredText
FTP/FTP-DATA Keywords
|
|
=====================
|
|
|
|
.. role:: example-rule-options
|
|
|
|
ftpdata_command
|
|
---------------
|
|
|
|
Filter ftp-data channel based on command used on the FTP command channel.
|
|
Currently supported commands are RETR (get on a file) and STOR (put on a
|
|
file).
|
|
|
|
Syntax::
|
|
|
|
ftpdata_command:(retr|stor)
|
|
|
|
Signature Example:
|
|
|
|
.. container:: example-rule
|
|
|
|
alert ftp-data any any -> any any (msg:"FTP store password"; \
|
|
filestore; filename:"password"; \
|
|
:example-rule-options:`ftpdata_command:stor;` sid:3; rev:1;)
|
|
|
|
ftpbounce
|
|
---------
|
|
|
|
Detect FTP bounce attacks.
|
|
|
|
Syntax::
|
|
|
|
ftpbounce
|
|
|
|
file.name
|
|
---------
|
|
|
|
The ``file.name`` keyword can be used at the FTP application level.
|
|
|
|
Signature Example:
|
|
|
|
.. container:: example-rule
|
|
|
|
alert ftp-data any any -> any any (msg:"FTP file.name usage"; \
|
|
:example-rule-options:`file.name; content:"file.txt";` \
|
|
classtype:bad-unknown; sid:1; rev:1;)
|
|
|
|
For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
|
|
|
|
ftp.command
|
|
-----------
|
|
|
|
This keyword matches on the command name from a FTP client request. ``ftp.command``
|
|
is a sticky buffer and can be used as a fast pattern.
|
|
|
|
Syntax::
|
|
|
|
ftp.command; content: <command>;
|
|
|
|
Signature Example:
|
|
|
|
.. container:: example-rule
|
|
|
|
alert ftp any any -> any any (:example-rule-options:`ftp.command; content:"PASS";` sid: 1;)
|
|
|
|
Examples of commands are:
|
|
|
|
* USER
|
|
* PASS
|
|
* PORT
|
|
* EPRT
|
|
* PASV
|
|
* RETR
|
|
|