From aec2513799b85aaa83c8512af527f36ea5112093 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 17 Apr 2025 08:32:15 -0400 Subject: [PATCH] doc/ftp: Document ftp.reply_received Add documentation for the ftp.reply_received keyword. --- doc/userguide/rules/ftp-keywords.rst | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/doc/userguide/rules/ftp-keywords.rst b/doc/userguide/rules/ftp-keywords.rst index 8e4ccbee63..93f224e629 100644 --- a/doc/userguide/rules/ftp-keywords.rst +++ b/doc/userguide/rules/ftp-keywords.rst @@ -227,3 +227,28 @@ Signature Example: .. container:: example-rule alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Transfer complete.";` sid: 2;) + +ftp.reply_received +------------------ + +This keyword matches on whether an FTP reply string was received. EVE logs +with the FTP event_type include a field named ``reply_received``. Use this +keyword to alert when a reply is (is not) received. ``ftp.reply_received`` +is not a sticky buffer and uses a different syntax to express its value. + +.. note :: + Specify the match value without using quotes, e.g., use yes instead of "yes". + +Syntax:: + + ftp.reply_received: yes|on|true|1|no|off|false|0; + +Signature Example: + +.. container:: example-rule + + alert ftp any any -> any any (:example-rule-options:`ftp.reply_received: yes;` sid: 1;) + +.. container:: example-rule + + alert ftp any any -> any any (:example-rule-options:`ftp.reply_received: no;` sid: 1;) -- 2.47.2