ftp.command
-----------
-This keyword matches on the command name from a FTP client request. ``ftp.command``
+This keyword matches on the command name from an FTP client request. ``ftp.command``
is a sticky buffer and can be used as a fast pattern.
Syntax::
RETR temp.txt
PORT 192,168,0,13,234,10
-
Example rules for each of the preceding FTP commands and command data.
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.command_data; content:"192,168,0,13,234,10";` sid: 3;)
+ftp.reply
+---------
+
+This keyword matches on an FTP reply string. Note that there may be multiple reply strings for
+an FTP command. ``ftp.reply`` is a sticky buffer and can be used as a fast pattern. Do not
+include the completion code in the `content` to match upon (see examples).
+
+Syntax::
+
+ ftp.reply; content: <reply-string>;
+ alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Please specify the password.";` sid: 1;)
+
+.. note ::
+ FTP commands can return multiple reply strings. Specify a single reply for each ``ftp.reply`` keyword.
+
+This example shows an FTP command (``RETR``) followed by an FTP reply with multiple response strings.
+::
+
+ RETR temp.txt
+ 150 Opening BINARY mode data connection for temp.txt (1164 bytes).
+ 226 Transfer complete.
+
+Signature Example:
+
+.. container:: example-rule
+
+ alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Opening BINARY mode data connection for temp.";` sid: 1;)
+
+.. container:: example-rule
+
+ alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Transfer complete.";` sid: 2;)
projects / thirdparty / suricata.git / commitdiff
