alert ftp any any -> any any (ftp.command; content: "EPSV"; :example-rule-options:`ftp.dynamic_port: 58612;` sid: 1;)
+ftp.mode
+--------
+
+This keyword matches on whether the FTP session is dynamic or passive.
+In `active` mode sessions, the server establishes the data channel.
+In `passive` mode, the client establishes the data channel. Active
+mode sessions are established in part with the ``PORT`` (``EPRT`` for IPv6)
+command; passive mode sessions use ``PASV`` (``EPSV`` for IPv6).
+
+Syntax::
+
+ ftp.mode: active|passive;
+
+Signature Example:
+
+.. container:: example-rule
+
+ alert ftp any any -> any any (:example-rule-options:`ftp.mode: active;` sid: 1;)
+
+.. container:: example-rule
+
+ alert ftp any any -> any any (:example-rule-options:`ftp.mode: passive;` sid: 1;)
+
+Example rules combining ``ftp.command`` with ``ftp.mode``
+
+.. container:: example-rule
+
+ alert ftp any any -> any any (ftp.command; content: "PORT"; :example-rule-options:`ftp.mode: active;` sid:1;)
+
+.. container:: example-rule
+
+ alert ftp any any -> any any (ftp.command; content: "PASV"; :example-rule-options:`ftp.mode: passive;` sid:1;)
+
ftp.reply
---------
Syntax::
ftp.reply; content: <reply-string>;
- alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Please specify the password.";` sid: 1;)
.. note ::
FTP commands can return multiple reply strings. Specify a single reply for each ``ftp.reply`` keyword.
Signature Example:
+.. container:: example-rule
+
+ alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Please specify the password.";` sid: 1;)
+
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Opening BINARY mode data connection for temp.";` sid: 1;)
projects / thirdparty / suricata.git / commitdiff
