doc/ftp: Document ftp.dynamic_port keyword

Document the sticky buffer for ftp.dynamic_port

diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst
index 98a14f879adef322f3321b37ecc12a744826d78d..2386b29643dd3c3a60d9bfffbb5fdf37aec59f4e 100644 (file)
--- a/doc/userguide/rules/ftp-keywords.rst
+++ b/doc/userguide/rules/ftp-keywords.rst
@@ -113,6 +113,53 @@ Example rules for each of the preceding FTP commands and command data.
 
   alert ftp any any -> any any (:example-rule-options:`ftp.command_data; content:"192,168,0,13,234,10";` sid: 3;)
 
+ftp.dynamic_port
+----------------
+
+This keyword matches on the dynamic port negotiated during an FTP session with
+the following FTP commands:
+
+* IPv4: ``PORT`` and ``EPRT``
+* IPv6: ``PASV`` and ``EPSV``
+
+Syntax::
+
+  ftp.dynamic_port: <port-spec>;
+
+``port-spec`` can be one of the following:
+
+* ``>`` (greater than)
+* ``<`` (less than)
+* ``>=`` (greater than or equal)
+* ``<=`` (less than or equal)
+* ``arg1-arg2`` (exclusive range)
+
+Signature Example:
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: 59914;` sid: 1;)
+
+These rules are will also alert on port ``59914``:
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: 59913-59915;` sid: 1;)
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: =59914;` sid: 1;)
+
+Example rules combining ``ftp.dynamic_port`` with ``ftp.command``
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (ftp.command; content: "PORT"; :example-rule-options:`ftp.dynamic_port: 59914;` sid: 1;)
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (ftp.command; content: "EPSV"; :example-rule-options:`ftp.dynamic_port: 58612;` sid: 1;)
+
 ftp.reply
 ---------