doc/ftp: Document ftp.reply_received

author Jeff Lucovsky <jlucovsky@oisf.net>

Thu, 17 Apr 2025 12:32:15 +0000 (08:32 -0400)

committer Victor Julien <victor@inliniac.net>

Fri, 16 May 2025 19:33:57 +0000 (21:33 +0200)
author Jeff Lucovsky <jlucovsky@oisf.net>
Thu, 17 Apr 2025 12:32:15 +0000 (08:32 -0400)
committer Victor Julien <victor@inliniac.net>
Fri, 16 May 2025 19:33:57 +0000 (21:33 +0200)
diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst

index 8e4ccbee63822cf7925c6251b471f7d6c72127c2..93f224e6290f01ed20e608c1a142e4f962efbf10 100644 (file)
--- a/doc/userguide/rules/ftp-keywords.rst
+++ b/doc/userguide/rules/ftp-keywords.rst
@@ -227,3 +227,28 @@ Signature Example:
  .. container:: example-rule
  
    alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Transfer complete.";` sid: 2;)
+
+ftp.reply_received
+------------------
+
+This keyword matches on whether an FTP reply string was received. EVE logs
+with the FTP event_type include a field named ``reply_received``. Use this
+keyword to alert when a reply is (is not) received. ``ftp.reply_received``
+is not a sticky buffer and uses a different syntax to express its value.
+
+.. note ::
+   Specify the match value without using quotes, e.g., use yes instead of "yes".
+
+Syntax::
+
+  ftp.reply_received: yes|on|true|1|no|off|false|0;
+
+Signature Example:
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.reply_received: yes;` sid: 1;)
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.reply_received: no;` sid: 1;)
author	Jeff Lucovsky <jlucovsky@oisf.net>
	Thu, 17 Apr 2025 12:32:15 +0000 (08:32 -0400)
committer	Victor Julien <victor@inliniac.net>
	Fri, 16 May 2025 19:33:57 +0000 (21:33 +0200)