doc: update fileext keyword information

Signed-off-by: jason taylor <jtfas90@gmail.com>

diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst
index 9f2ce750a99128c68478deadb8c85f65b0242065..ec7fd1ab6a6c5f4d1e15edf4154622ba25471c24 100644 (file)
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@@ -31,17 +31,41 @@ Example::
   file.name; content:"examplefilename"; nocase;
 
 fileext
--------
+--------
 
-Matches on the extension of a file name.
+``fileext`` is used to look at individual file extensions that are
+seen in flows that Suricata evaluates.
 
-Syntax::
+Example::
+
+  fileext:"pdf";
+
+**Note:** ``fileext`` does not allow partial matches. For example, if
+a PDF file (.pdf) is seen by a Suricata signature with
+fileext:"pd"; the signature will not produce an alert.
+
+**Note:** ``fileext`` assumes ``nocase`` by default. This means
+that a file with the extension .PDF will be seen the same as if
+the file had an extension of .pdf.
+
+**Note:** ``fileext`` and ``file.name`` can both be used to match on
+file extensions. In the example below the two signatures are
+considered the same.
+
+Example::
+
+  fileext:"pdf";
+
+  file.name; content:".pdf"; nocase; endswith;
 
-  fileext:<string>;
+**Note**: While``fileeext`` and ``file.name`` can both be used
+to match on file extensions, ``file.name`` allows for partial
+matching on file extensions. The following would match on a file
+with the extension of .pd as well as .pdf.
 
 Example::
 
-  fileext:"jpg";
+  file.name; content:".pd";
 
 filemagic
 ---------