1# FTP - File Transfer Protocol - RFC 959 2# Pattern attributes: great notsofast fast 3# Protocol groups: document_retrieval ietf_internet_standard 4# Wiki: http://protocolinfo.org/wiki/FTP 5# 6# Usually runs on port 21. Note that the data stream is on a dynamically 7# assigned port, which means that you will need the FTP connection 8# tracking module in your kernel to usefully match FTP data transfers. 9# 10# This pattern is well tested. 11# 12# Handles the first two things a server should say: 13# 14# First, the server says it's ready by sending "220". Most servers say 15# something after 220, even though they don't have to, and it usually 16# includes the string "ftp" (l7-filter is case insensitive). This 17# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP 18# Server, and whatever ftp.microsoft.com uses. Almost all servers use only 19# ASCII printable characters between the "220" and the "FTP", but non-English 20# ones might use others. 21# 22# The next thing the server sends is a 331. All the above servers also 23# send something including "password" after this code. By default, we 24# do not match on this because it takes another packet and is more work 25# for regexec. 26 27ftp 28# by default, we allow only ASCII 29^220[\x09-\x0d -~]*ftp 30 31# This covers UTF-8 as well 32#^220[\x09-\x0d -~\x80-\xfd]*ftp 33 34# This allows any characters and is about 4x faster than either of the above 35# (which are about the same as each other) 36#^220.*ftp 37 38# This is much slower 39#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password 40 41# This pattern is more precise, but takes longer to match. (3 packets vs. 1) 42#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331 43 44# same as above, but slightly less precise and only takes 2 packets. 45#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a 46