userguide: update http.cookie description

Signed-off-by: jason taylor <jtfas90@gmail.com>

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index e583a32e11f797e9e0550b5f7f901400bb65ef26..5dda6dcb0a33431dd6fbe8026d0bd16929545c04 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -317,22 +317,34 @@ Example of the purpose of ``http.header``:
 http.cookie
 -----------
 
-With the ``http.cookie`` content modifier, it is possible to match
-specifically and only on the cookie buffer. The keyword can be used in
-combination with all previously mentioned content modifiers like
-``depth``, ``distance``, ``offset``, ``nocase`` and ``within``.
+With the ``http.cookie`` sticky buffer it is possible to match
+specifically on the HTTP cookie contents. Keywords like ``depth``,
+``distance``, ``offset``, ``nocase`` and ``within`` can be used
+with ``http.cookie``.
 
-Note that cookies are passed in HTTP headers, but are extracted to a
-dedicated buffer and matched using their own specific content
-modifier.
+Note that cookies are passed in HTTP headers but Suricata extracts
+the cookie data to ``http.cookie`` and will not match cookie content
+put in the ``http.header`` sticky buffer.
 
 Example of a cookie in a HTTP request:
 
-.. image:: http-keywords/cookie.png
+Examples::
+
+    GET / HTTP/1.1
+    User-Agent: Mozilla/5.0
+    Host: www.example.com
+    Cookie: PHPSESSIONID=1234
+    Connection: close
 
-Example of the purpose of ``http.cookie``:
+Example ``http.cookie`` keyword in a signature:
+
+.. container:: example-rule
 
-.. image:: http-keywords/cookie1.png
+    alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Request
+    with Cookie"; flow:established,to_server; http.method; content:"GET";
+    http.uri; content:"/"; fast_pattern; :example-rule-emphasis:`http.cookie;
+    content:"PHPSESSIONID="; startswith;` classtype:bad-unknown; sid:123;
+    rev:1;)
 
 http.user_agent
 ---------------