Skip to content

Commit

Permalink
doc: Add ftp.command sticky buffer
Browse files Browse the repository at this point in the history 
Issue: 7502

This commit documents the new FTP sticky buffer "ftp.command".
@jlucovsky @victorjulien
jlucovsky authored and victorjulien committed Jan 26, 2025

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
Learn about vigilant mode
1 parent b662feb commit 53abe1e
Showing 1 changed file with 27 additions and 1 deletion.
28 changes: 27 additions & 1 deletion doc/userguide/rules/ftp-keywords.rst
View file
Original file line number Diff line number Diff line change
@@ -44,4 +44,30 @@ Signature Example:
:example-rule-options:`file.name; content:"file.txt";` \
classtype:bad-unknown; sid:1; rev:1;)

For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.

ftp.command
-----------

This keyword matches on the command name from a FTP client request. ``ftp.command``
is a sticky buffer and can be used as a fast pattern.

Syntax::

ftp.command; content: <command>;

Signature Example:

.. container:: example-rule

alert ftp any any -> any any (:example-rule-options:`ftp.command; content:"PASS";` sid: 1;)

Examples of commands are:

* USER
* PASS
* PORT
* EPRT
* PASV
* RETR

0 comments on commit 53abe1e

Please sign in to comment.