doc: update urilen keyword documentation

ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index 093511ac0453bd6e1c4bcd0f72141ae2f5a630ab..517d5760aacafd1a9da9d217d78bedc98551d7f7 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -67,6 +67,7 @@ Request Keywords:
  * :ref:`http.accept_enc`
  * :ref:`http.referer`
  * :ref:`file.name`
+ * :ref:`urilen`
 
 Response Keywords:
  * :ref:`http.stat_msg`
@@ -210,34 +211,46 @@ Reference: `https://redmine.openinfosecfoundation.org/issues/2881 <https://redmi
 urilen
 ------
 
-The ``urilen`` keyword is used to match on the length of the request
+The ``urilen`` keyword is used to match on the length of the normalized request
 URI. It is possible to use the ``<`` and ``>`` operators, which
-indicate respectively *smaller than* and *larger than*.
+indicate respectively *less than* and *larger than*.
 
 urilen uses an :ref:`unsigned 64-bit integer <rules-integer-keywords>`.
 
-The format of ``urilen`` is::
+The ``urilen`` keyword does not require a content match on the :ref:`http.uri`
+buffer or the :ref:`http.uri.raw` buffer.
 
-  urilen:3;
+Example HTTP Request::
 
-Other possibilities are::
+  GET /index.html HTTP/1.1
+  User-Agent: Mozilla/5.0
+  Host: suricata.io
 
-  urilen:1;
-  urilen:>1;
-  urilen:<10;
-  urilen:10<>20;       (bigger than 10, smaller than 20)
+.. container:: example-rule
 
-Example:
+  alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Request"; \
+  flow:established,to_server; :example-rule-options:`urilen:11;` \
+  http.method; content:"GET"; classtype:bad-unknown; sid:40; rev:1;)
 
+The above signature would match on any HTTP GET request that has a URI
+length of 11, regardless of the content or structure of the URI.
 
-Example of ``urilen`` in a signature:
+The following signatures would all alert on the example request above as well
+and show the different ``urilen`` options.
 
 .. container:: example-rule
 
-    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/frame.html?"; :example-rule-emphasis:`urilen: > 80;` classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;)
+  alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"urilen greater than 10"; \
+  flow:established,to_server; :example-rule-options:`urilen:>10;` \
+  classtype:bad-unknown; sid:41; rev:1;)
+
+  alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"urilen less than 12"; \
+  flow:established,to_server; :example-rule-options:`urilen:<12;` \
+  classtype:bad-unknown; sid:42; rev:1;)
 
-You can also append ``norm`` or ``raw`` to define what sort of buffer you want
-to use (normalized or raw buffer).
+  alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"urilen greater/less than \
+  example"; flow:established,to_server; :example-rule-options:`urilen:10<>12;` \
+  classtype:bad-unknown; sid:43; rev:1;)
 
 .. _http.protocol: