doc: update http.response_body keyword information

Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index 578c49743e569eb14964ac831585bd7fef68b4e8..fb27d5632ff746c13c5bae216d213af46bb8e1f2 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -906,38 +906,36 @@ Example HTTP Response::
 http.response_body
 ------------------
 
-With the ``http.response_body`` sticky buffer, it is possible to
-match specifically and only on the HTTP response body. The keyword can
-be used in combination with all previously mentioned content modifiers
-like ``distance``, ``offset``, ``nocase``, ``within``, etc.
+The ``http.response_body`` keyword is used to match on the HTTP response body.
 
-Note: how much of the response/server body is inspected is controlled
-in your :ref:`libhtp configuration section
-<suricata-yaml-configure-libhtp>` via the ``response-body-limit``
-setting.
+It is possible to use any of the :doc:`payload-keywords` with the
+``http.response_body`` keyword.
 
-Notes
-~~~~~
+Example HTTP Response::
 
--  Using ``http.response_body`` is similar to having content matches
-   that come after ``file.data`` except that it doesn't permanently
-   (unless reset) set the detection pointer to the beginning of the
-   server response body. i.e. it is not a sticky buffer.
+  HTTP/1.1 200 OK
+  Content-Type: text/html
+  Server: nginx/0.8.54
 
--  ``http.response_body`` will match on gzip decoded data just like
-   ``file.data`` does.
+  Server response body
 
--  Since ``http.response_body`` matches on a server response, it
-   can't be used with the ``to_server`` or ``from_client`` flow
-   directives.
+.. container:: example-rule
+
+  alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP Response Body \
+  Example"; flow:established,to_client; :example-rule-options:`http.response_body; \
+  content:"Server response body";` classtype:bad-unknown; sid:120; rev:1;)
 
--  Corresponding PCRE modifier: ``Q``
+.. note:: ``http.response_body`` will match on gzip decoded data just like
+  :ref:`file.data` does.
 
--  further notes at the ``file.data`` section below.
+.. note:: How much of the response/server body is inspected is controlled
+  in your :ref:`libhtp configuration section
+  <suricata-yaml-configure-libhtp>` via the ``response-body-limit``
+  setting.
 
-``http.response_body`` replaces the previous keyword name: ```http_server_body``. You may continue
-+to use the previous name, but it's recommended that rules be converted to use
-+the new name.
+.. note:: ``http.response_body`` replaces the previous keyword name,
+  ``http_server_body``. ``http_server_body`` can still be used but it is
+  recommended that rules be converted to use ``http.response_body``.
 
 .. _http.server: