doc/file_data: add note on negated matching

Explain issue #2216 and how to avoid it.

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index 5e0eaeab4d11bebec6c0653c4677521f9dfa2093..6d38460b97a5b010c35cfd6b6bdf7ba99a62225f 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -591,6 +591,8 @@ Notes
 
 -  Corresponding PCRE modifier: ``Q``
 
+-  further notes at the ``file_data`` section below.
+
 http_host and http_raw_host
 ---------------------------
 
@@ -673,11 +675,30 @@ rule. This makes it a useful shortcut for applying many content
 matches to the HTTP response body, eliminating the need to modify each
 content match individually.
 
-Note: how much of the response/server body is inspected is controlled
+As the body of a HTTP response can be very large, it is inspected in
+smaller chunks.
+
+How much of the response/server body is inspected is controlled
 in your :ref:`libhtp configuration section
 <suricata-yaml-configure-libhtp>` via the ``response-body-limit``
 setting.
 
+Notes
+~~~~~
+
+-  If a HTTP body is using gzip or deflate, ``file_data`` will match
+   on the decompressed data.
+
+-  Negated matching is affected by the chunked inspection. E.g.
+   'content:!"<html";' could not match on the first chunk, but would
+   then possibly match on the 2nd. To avoid this, use a depth setting.
+   The depth setting takes the body size into account.
+   Assuming that the ``response-body-minimal-inspect-size`` is bigger
+   than 1k, 'content:!"<html"; depth:1024;' can only match if the
+   pattern '<html' is absent from the first inspected chunk.
+
+-  ``file_data`` can also be used with SMTP
+
 pcre
 ----