This concept will do the trick for you.
alert tcp any any -> any 21 (msg:"FTP traffic"; pcre:"/USER|PASS/i"; sid:666; rev:1;)
This is a case-insensitive (/i) Perl Compatible Regular Expression (pcre) match for USER or (|) PASS.
If you want add additional commands then simply tack them on to the end of the regex like...
/USER|PASS|PASV|.../
To my knowledge having an OR operator for content matches is not possible. Instead make two rules (which you indicated you don't want to do).
- Looks for
USER
- Looks for
PASS
I have seen many people indicate that using PCRE in Snort is expensive and should be avoided. Supposing it's used effectively I don't think there's a huge issue but have never captured performance metrics since I rarely have used PCRE for rule matching myself. If you do use the above PCRE rule than strongly consider beefing it up with content and flow. How it's currently written Snort will inspect every packet that matches the header (tcp any any -> any 21)!
http://manual.snort.org/node32.html#SECTION004523000000000000000
http://manual.snort.org/node32.html#SECTION00451000000000000000
http://manual.snort.org/node33.html#SECTION00469000000000000000
Without more details of where you are/where you're trying to get to/what you have available you should also check out the FTP preprocessor to see if it can help achieve your overall goal.
http://manual.snort.org/node17.html#SECTION003210000000000000000
