doc: update file.name keyword information

author jason taylor <jtfas90@gmail.com>

Mon, 17 Jul 2023 16:36:58 +0000 (16:36 +0000)

committer jason taylor <jtfas90@gmail.com>

Tue, 8 Aug 2023 14:59:08 +0000 (14:59 +0000)
author jason taylor <jtfas90@gmail.com>
Mon, 17 Jul 2023 16:36:58 +0000 (16:36 +0000)
committer jason taylor <jtfas90@gmail.com>
Tue, 8 Aug 2023 14:59:08 +0000 (14:59 +0000)
diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst

index 2d796bee7378b6144f4ab90e0db7339d02b72ad0..2992992c72d3d621cc51ce767fdc81dfa1936f55 100644 (file)
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@@ -5,18 +5,28 @@ Suricata comes with several rule keywords to match on various file
  properties. They depend on properly configured
  :doc:`../file-extraction/file-extraction`.
  
-filename
---------
+file.name
+---------
  
-Matches on the file name.
+``file.name`` is a sticky buffer that is used to look at filenames
+that are seen in flows that Suricata evaluates. The various payload
+keywords can be used (e.g. ``startswith``, ``nocase`` and ``bsize``)
+with ``file.name``.
  
-Syntax::
+Example::
  
-  filename:<string>;
+  file.name; content:"examplefilename";
+
+**Note** ``filename`` can still be used. A notable difference between
+``file.name`` and ``filename`` is that ``filename`` assumes ``nocase``
+by default. In the example below the two signatures are considered
+the same.
  
  Example::
  
-  filename:"secret";
+  filename:"examplefilename";
+
+  file.name; content:"examplefilename"; nocase;
  
  fileext
  --------
author	jason taylor <jtfas90@gmail.com>
	Mon, 17 Jul 2023 16:36:58 +0000 (16:36 +0000)
committer	jason taylor <jtfas90@gmail.com>
	Tue, 8 Aug 2023 14:59:08 +0000 (14:59 +0000)