doc: Add ftp.command sticky buffer

author Jeff Lucovsky <jlucovsky@oisf.net>

Mon, 20 Jan 2025 15:37:08 +0000 (10:37 -0500)

committer Victor Julien <victor@inliniac.net>

Sun, 26 Jan 2025 06:10:01 +0000 (07:10 +0100)
author Jeff Lucovsky <jlucovsky@oisf.net>
Mon, 20 Jan 2025 15:37:08 +0000 (10:37 -0500)
committer Victor Julien <victor@inliniac.net>
Sun, 26 Jan 2025 06:10:01 +0000 (07:10 +0100)
diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst

index d934516844867491ca1540fcd0c8b470c23a55b7..1f45e12d52b6e34204753486a562380e4982ee7e 100644 (file)
--- a/doc/userguide/rules/ftp-keywords.rst
+++ b/doc/userguide/rules/ftp-keywords.rst
@@ -44,4 +44,30 @@ Signature Example:
    :example-rule-options:`file.name; content:"file.txt";` \
    classtype:bad-unknown; sid:1; rev:1;)
  
-For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
-\ No newline at end of file
+For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
+
+ftp.command
+-----------
+
+This keyword matches on the command name from a FTP client request. ``ftp.command``
+is a sticky buffer and can be used as a fast pattern.
+
+Syntax::
+
+  ftp.command; content: <command>;
+
+Signature Example:
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.command; content:"PASS";` sid: 1;)
+
+Examples of commands are:
+
+* USER
+* PASS
+* PORT
+* EPRT
+* PASV
+* RETR
+
author	Jeff Lucovsky <jlucovsky@oisf.net>
	Mon, 20 Jan 2025 15:37:08 +0000 (10:37 -0500)
committer	Victor Julien <victor@inliniac.net>
	Sun, 26 Jan 2025 06:10:01 +0000 (07:10 +0100)