doc: update http.response_line keyword information

author jason taylor <jtfas90@gmail.com>

Sat, 3 Feb 2024 15:48:25 +0000 (15:48 +0000)

committer Victor Julien <victor@inliniac.net>

Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)
author jason taylor <jtfas90@gmail.com>
Sat, 3 Feb 2024 15:48:25 +0000 (15:48 +0000)
committer Victor Julien <victor@inliniac.net>
Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)
diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst

index a6138e2bb283ddab0d6b62c1ab85307ad4474ef5..578c49743e569eb14964ac831585bd7fef68b4e8 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -881,11 +881,25 @@ Example HTTP Response::
  http.response_line
  ------------------
  
-The ``http.response_line`` forces the whole HTTP response line to be inspected.
+The ``http.response_line`` keyword is used to match on the entire HTTP
+response line.
  
-Example::
+It is possible to use any of the :doc:`payload-keywords` with the
+``http.response_line`` keyword.
+
+Example HTTP Response::
+
+  HTTP/1.1 200 OK
+  Content-Type: text/html
+  Server: nginx/0.8.54
+
+.. container:: example-rule
+
+  alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP Response Line \
+  Example"; flow:established,to_client; :example-rule-options:`http.response_line; \
+  content:"HTTP/1.1 200 OK";` classtype:bad-unknown; sid:119; rev:1;)
  
-    alert http any any -> any any (http.response_line; content:"HTTP/1.0 200 OK"; sid:1;)
+.. note:: ``http.response_line`` does not include the trailing \\r\\n
  
  .. _http.response_body:
author	jason taylor <jtfas90@gmail.com>
	Sat, 3 Feb 2024 15:48:25 +0000 (15:48 +0000)
committer	Victor Julien <victor@inliniac.net>
	Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)