Skip to content

etc/schema: add missing ftp fields#15405

Closed
jlucovsky wants to merge 1 commit into
OISF:mainfrom
jlucovsky:ftp-schema/1
Closed

etc/schema: add missing ftp fields#15405
jlucovsky wants to merge 1 commit into
OISF:mainfrom
jlucovsky:ftp-schema/1

Conversation

@jlucovsky
Copy link
Copy Markdown
Contributor

@jlucovsky jlucovsky commented May 17, 2026

Add ftp detect keywords to metadata

Issue: 7502, 7503, 7507, 7505, 7508, 7506

python3 scripts/eve-parity.py unmapped-fields | grep ^ftp identified the following are unmapped:

  ftp.command
  ftp.command_data
  ftp.command_truncated
  ftp.completion_code
  ftp.mode
  ftp.reply
  ftp.reply_received
  ftp.reply_truncated
  ftp_data.command
  ftp_data.filename

Of these, the following do not have detect keywords:

  ftp.command_truncated
  ftp.reply_truncated
  ftp_data.filename

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/6476

Describe changes:

  • Added unmapped fields highlighted with command (see descr)

Provide values to any of the below to override the defaults.

  • To use a Suricata-Verify or Suricata-Update pull request,
    link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=

@jlucovsky
etc/schema: add missing ftp fields
532ae7a 
Add ftp detect keywords to metadata

Issue: 7502, 7503, 7507, 7505, 7508, 7506
@jlucovsky jlucovsky requested a review from a team as a code owner May 17, 2026 12:45
@suricata-qa
Copy link
Copy Markdown

suricata-qa commented May 17, 2026

Information: QA skipped due to no C or rust code changed detected. Set to force a run.

Pipeline = code

@catenacyber
Copy link
Copy Markdown
Contributor

catenacyber commented May 17, 2026

Of these, the following do not have detect keywords:

  ftp.command_truncated
  ftp.reply_truncated
  ftp_data.filename

Does not file.name keyword work for ftp_data.filename field ?

Also would not ftp.command; bsize > 4096; work for ftp.command_truncated ?

@jlucovsky
Copy link
Copy Markdown
Contributor Author

jlucovsky commented May 19, 2026

Of these, the following do not have detect keywords:

  ftp.command_truncated
  ftp.reply_truncated
  ftp_data.filename

Does not file.name keyword work for ftp_data.filename field ?

Also would not ftp.command; bsize > 4096; work for ftp.command_truncated ?

These fields cannot be mapped to detection keywords; are the changes in the PR sufficient for the unmapped fields that do have detection keywords?

@catenacyber
Copy link
Copy Markdown
Contributor

catenacyber commented May 19, 2026

These fields cannot be mapped to detection keywords;

I think they can : I think file.name keyword works for ftp_data.filename field

are the changes in the PR sufficient for the unmapped fields that do have detection keywords?

I think the changes are good (did not fully check), but your sentence struck me as wrong

the following do not have detect keywords: ftp_data.filename

@catenacyber catenacyber mentioned this pull request May 21, 2026
Closed
@catenacyber
Copy link
Copy Markdown
Contributor

catenacyber commented May 21, 2026

Replaced by #15435

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jlucovsky @suricata-qa @catenacyber