From 7e655544627a0c8355d4fa0b1b1bb792d2a79892 Mon Sep 17 00:00:00 2001
From: jason taylor <jtfas90@gmail.com>
Date: Wed, 31 Jan 2024 22:33:01 +0000
Subject: [PATCH] doc: update http.referer keyword information

Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
---
 doc/userguide/rules/http-keywords.rst | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index 2e18ddbf57..50aac6eacd 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -649,14 +649,29 @@ than 100 we could use the following signature.
 .. _http.referer:
 
 http.referer
----------------
+------------
 
-Sticky buffer to match on the HTTP Referer header. Only contains the
-header value. The \\r\\n after the header are not part of the buffer.
+The ``http.referer`` keyword is used to match on the Referer field that
+can be present in HTTP request headers.
 
-Example::
+It is possible to use any of the :doc:`payload-keywords` with the
+``http.referer`` keyword.
+
+Example HTTP Request::
+
+  GET / HTTP/1.1
+  Host: suricata.io
+  Referer: https://suricata.io
 
-    alert http any any -> any any (http.referer; content:".php"; sid:1;)
+.. container:: example-rule
+
+  alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Referer Example"; \
+  flow:established,to_server; :example-rule-options:`http.referer; \
+  content:"http|3a 2f 2f|suricata.io";` bsize:19; classtype:bad-unknown; \
+  sid:200; rev:1;)
+
+.. note:: ``http.referer`` does not include the leading space or trailing
+   \\r\\n
 
 .. _http.start:
 
-- 
2.47.3