aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
suricata/doc/userguide/rules/ftp-keywords.rst

306 lines
8.3 KiB
ReStructuredText
Raw Permalink Blame History

FTP/FTP-DATA Keywords
=====================
.. role:: example-rule-options
ftpdata_command
---------------
Filter ftp-data channel based on command used on the FTP command channel.
Currently supported commands are RETR (get on a file) and STOR (put on a
file).
Syntax::
ftpdata_command:(retr|stor)
Signature Example:
.. container:: example-rule
alert ftp-data any any -> any any (msg:"FTP store password"; \
filestore; filename:"password"; \
:example-rule-options:`ftpdata_command:stor;` sid:3; rev:1;)
ftpbounce
---------
Detect FTP bounce attacks.
Syntax::
ftpbounce
file.name
---------
The ``file.name`` keyword can be used at the FTP application level.
Signature Example:
.. container:: example-rule
alert ftp-data any any -> any any (msg:"FTP file.name usage"; \
:example-rule-options:`file.name; content:"file.txt";` \
classtype:bad-unknown; sid:1; rev:1;)
For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
ftp.command
-----------
This keyword matches on the command name from an FTP client request. ``ftp.command``
is a sticky buffer and can be used as a fast pattern.
Syntax::
ftp.command; content: <command>;
Signature Example:
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.command; content:"PASS";` sid: 1;)
Examples of commands are:
* USER
* PASS
* PORT
* EPRT
* PASV
* RETR
ftp.command_data
----------------
This keyword matches on the command data from a FTP client request.
``ftp.command_data`` is a sticky buffer and can be used as a fast pattern.
Syntax::
ftp.command_data; content: <command_data>;
Signature Example:
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.command_data; content:"anonymous";` sid: 1;)
The ``ftp.command_data`` matches the data associated with an FTP command. Consider the following FTP command
examples::
USER anonymous
RETR temp.txt
PORT 192,168,0,13,234,10
Example rules for each of the preceding FTP commands and command data.
.. container:: example-rule
alert ftp any any -> any any (ftp.command; content: "USER"; :example-rule-options:`ftp.command_data; content:"anonymous";` sid: 1;)
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.command_data; content:"anonymous";` sid: 1;)
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.command_data; content:"temp.txt";` sid: 2;)
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.command_data; content:"192,168,0,13,234,10";` sid: 3;)
ftp.completion_code
-------------------
This keyword matches on an FTP completion code string. Note that there may be multiple reply strings for
an FTP command and hence, multiple completion code values to check. ``ftp.completion_code`` is a sticky buffer
and can be used as a fast pattern. Do not include the response string in the `content` to match upon (see examples).
Syntax::
ftp.completion_code; content: <quoted-completion-code>;
Signature Example:
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.completion_code; content:"226";` sid: 1;)
.. note ::
FTP commands can return multiple reply strings. Specify a single completion code for each ``ftp.completion_code`` keyword.
This example shows an FTP command (``RETR``) followed by an FTP reply with multiple response strings.
::
RETR temp.txt
150 Opening BINARY mode data connection for temp.txt (1164 bytes).
226 Transfer complete.
Because there are multiple completion codes and responses, the rule can match on
``ftp.reply`` and the ``ftp.completion_code``. Suricata cannot guarantee that
these come from the `same response`, however.
Signature Examples:
.. container:: example-rule
alert ftp any any -> any any (ftp.reply; content:"Opening BINARY mode data connection for temp."; \
:example-rule-options:`ftp.completion_code; content: "150";` sid: 1;)
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.completion_code; content: "226";` sid: 2;)
.. container:: example-rule
alert ftp any any -> any any (
ftp.reply; content: "Transfer complete.";
:example-rule-options:`ftp.completion_code; content: "226";` sid: 3;)
ftp.dynamic_port
----------------
This keyword matches on the dynamic port negotiated during an FTP session with
the following FTP commands:
* IPv4: ``PORT`` and ``EPRT``
* IPv6: ``PASV`` and ``EPSV``
Syntax::
ftp.dynamic_port: <port-spec>;
``port-spec`` can be one of the following:
* ``>`` (greater than)
* ``<`` (less than)
* ``>=`` (greater than or equal)
* ``<=`` (less than or equal)
* ``arg1-arg2`` (exclusive range)
Signature Example:
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: 59914;` sid: 1;)
These rules are will also alert on port ``59914``:
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: 59913-59915;` sid: 1;)
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.dynamic_port: =59914;` sid: 1;)
Example rules combining ``ftp.dynamic_port`` with ``ftp.command``
.. container:: example-rule
alert ftp any any -> any any (ftp.command; content: "PORT"; :example-rule-options:`ftp.dynamic_port: 59914;` sid: 1;)
.. container:: example-rule
alert ftp any any -> any any (ftp.command; content: "EPSV"; :example-rule-options:`ftp.dynamic_port: 58612;` sid: 1;)
ftp.mode
--------
This keyword matches on whether the FTP session is dynamic or passive.
In `active` mode sessions, the server establishes the data channel.
In `passive` mode, the client establishes the data channel. Active
mode sessions are established in part with the ``PORT`` (``EPRT`` for IPv6)
command; passive mode sessions use ``PASV`` (``EPSV`` for IPv6).
Syntax::
ftp.mode: active|passive;
Signature Example:
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.mode: active;` sid: 1;)
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.mode: passive;` sid: 1;)
Example rules combining ``ftp.command`` with ``ftp.mode``
.. container:: example-rule
alert ftp any any -> any any (ftp.command; content: "PORT"; :example-rule-options:`ftp.mode: active;` sid:1;)
.. container:: example-rule
alert ftp any any -> any any (ftp.command; content: "PASV"; :example-rule-options:`ftp.mode: passive;` sid:1;)
ftp.reply
---------
This keyword matches on an FTP reply string. Note that there may be multiple reply strings for
an FTP command. ``ftp.reply`` is a sticky buffer and can be used as a fast pattern. Do not
include the completion code in the `content` to match upon (see examples).
Syntax::
ftp.reply; content: <reply-string>;
.. note ::
FTP commands can return multiple reply strings. Specify a single reply for each ``ftp.reply`` keyword.
This example shows an FTP command (``RETR``) followed by an FTP reply with multiple response strings.
::
RETR temp.txt
150 Opening BINARY mode data connection for temp.txt (1164 bytes).
226 Transfer complete.
Signature Example:
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Please specify the password.";` sid: 1;)
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Opening BINARY mode data connection for temp.";` sid: 1;)
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.reply; content:"Transfer complete.";` sid: 2;)
ftp.reply_received
------------------
This keyword matches on whether an FTP reply string was received. EVE logs
with the FTP event_type include a field named ``reply_received``. Use this
keyword to alert when a reply is (is not) received. ``ftp.reply_received``
is not a sticky buffer and uses a different syntax to express its value.
.. note ::
Specify the match value without using quotes, e.g., use yes instead of "yes".
Syntax::
ftp.reply_received: yes|on|true|1|no|off|false|0;
Signature Example:
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.reply_received: yes;` sid: 1;)
.. container:: example-rule
alert ftp any any -> any any (:example-rule-options:`ftp.reply_received: no;` sid: 1;)
Reference in New Issue View Git Blame Copy Permalink