Hello, i need to extract files from ftp protocol.But it doesn’t work.
The suricata version is 7.0.2, and operating system is Centos7.
The configuration yaml is as follows:
…
The rule is:
alert ftp-data any any → any any (msg:“FTP test”; filestore; ftpdata_command:stor; sid:3; rev:1;)
Pcap file:
ftp_file.pcap (8.8 KB)
I need help, please 
Looks like a bug to fix…
Will this problem be followed up and solved?
And I found that FTP file extraction does not always fail, I tried to transfer four files and only two files were restored.
You should get your expected behavior with --set stream.inline=true (or set it in suricata.yaml)
Longer analysis :
The ftp-data flow does not get classified as such, because the expectation is only created on TCP ACK packet to the STOR command.
This ACK packet arrives after the ftp-data 3 way handshake + data + first ack
@vjulien do we want to handle such case ?
As you suggested, I set stream.inline=true. The file was successfully restored as expected.
Thank you very much. 