From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Thu, 17 Apr 2025 12:32:15 +0000 (-0400)
Subject: doc/ftp: Document ftp.reply_received
X-Git-Tag: suricata-8.0.0-rc1~261
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F13251%2Fhead;p=thirdparty%2Fsuricata.git

doc/ftp: Document ftp.reply_received

Add documentation for the ftp.reply_received keyword.
---

diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst
index 8e4ccbee63..93f224e629 100644
--- a/doc/userguide/rules/ftp-keywords.rst
+++ b/doc/userguide/rules/ftp-keywords.rst
@@ -227,3 +227,28 @@ Signature Example:
 .. container:: example-rule
 
   alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Transfer complete.";` sid: 2;)
+
+ftp.reply_received
+------------------
+
+This keyword matches on whether an FTP reply string was received. EVE logs
+with the FTP event_type include a field named ``reply_received``. Use this
+keyword to alert when a reply is (is not) received. ``ftp.reply_received``
+is not a sticky buffer and uses a different syntax to express its value.
+
+.. note ::
+   Specify the match value without using quotes, e.g., use yes instead of "yes".
+
+Syntax::
+
+  ftp.reply_received: yes|on|true|1|no|off|false|0;
+
+Signature Example:
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.reply_received: yes;` sid: 1;)
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.reply_received: no;` sid: 1;)