doc: Add ftp.command sticky buffer

Issue: 7502 This commit documents the new FTP sticky buffer "ftp.command".
1 month ago · 53abe1e5d7
parent b662feb162
commit 53abe1e5d7
1 changed files with 27 additions and 1 deletions
--- a/doc/userguide/rules/ftp-keywords.rst
+++ b/doc/userguide/rules/ftp-keywords.rst
@ -44,4 +44,30 @@ Signature Example:
  :example-rule-options:`file.name; content:"file.txt";` \
  classtype:bad-unknown; sid:1; rev:1;)

-For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
+For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
+
+ftp.command
+-----------
+
+This keyword matches on the command name from a FTP client request. ``ftp.command``
+is a sticky buffer and can be used as a fast pattern.
+
+Syntax::
+
+  ftp.command; content: <command>;
+
+Signature Example:
+
+.. container:: example-rule
+
+  alert ftp any any -> any any (:example-rule-options:`ftp.command; content:"PASS";` sid: 1;)
+
+Examples of commands are:
+
+* USER
+* PASS
+* PORT
+* EPRT
+* PASV
+* RETR
+