doc: update http.request_line keyword information

author jason taylor <jtfas90@gmail.com>

Tue, 2 Jan 2024 21:04:03 +0000 (21:04 +0000)

committer Victor Julien <victor@inliniac.net>

Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)
author jason taylor <jtfas90@gmail.com>
Tue, 2 Jan 2024 21:04:03 +0000 (21:04 +0000)
committer Victor Julien <victor@inliniac.net>
Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)
diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst

index 67821dc96778031f11cf8e23e81e65e347afdbb3..118137445f8a9d26461c593533513f30669c94ea 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -280,11 +280,23 @@ Example HTTP Request::
  http.request_line
  -----------------
  
-The ``http.request_line`` forces the whole HTTP request line to be inspected.
+The ``http.request_line`` keyword is used to match on the entire contents of
+the HTTP request line.
  
-Example::
+Example HTTP Request::
+
+  GET /index.html HTTP/1.1
+  User-Agent: Mozilla/5.0
+  Host: suricata.io
+
+.. container:: example-rule
+
+  alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Request Example"; \
+  flow:established,to_server; :example-rule-options:`http.request_line; \
+  content:"GET /index.html HTTP/1.1";` bsize:24; classtype:bad-unknown; \
+  sid:60; rev:1;)
  
-    alert http any any -> any any (http.request_line; content:"GET / HTTP/1.0"; sid:1;)
+.. note:: ``http.request_line`` does not include the trailing \\r\\n
  
  .. _http.header:
author	jason taylor <jtfas90@gmail.com>
	Tue, 2 Jan 2024 21:04:03 +0000 (21:04 +0000)
committer	Victor Julien <victor@inliniac.net>
	Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)