doc: Document http_host and http_raw_host

author Andi <andi@geekosphere.org>

Thu, 31 Dec 2015 20:58:22 +0000 (21:58 +0100)

committer Victor Julien <victor@inliniac.net>

Wed, 28 Sep 2016 11:11:10 +0000 (13:11 +0200)
author Andi <andi@geekosphere.org>
Thu, 31 Dec 2015 20:58:22 +0000 (21:58 +0100)
committer Victor Julien <victor@inliniac.net>
Wed, 28 Sep 2016 11:11:10 +0000 (13:11 +0200)
diff --git a/doc/sphinx/rules/http-keywords.rst b/doc/sphinx/rules/http-keywords.rst

index 623a301a8a7ff7165afa1f035cd176543537631a..afa72218c010d91ddf97dedeea540fc2452edec2 100644 (file)
--- a/doc/sphinx/rules/http-keywords.rst
+++ b/doc/sphinx/rules/http-keywords.rst
@@ -286,6 +286,19 @@ Note: how much of the response/server body is inspected is controlled
  in your [[**FIXME** suricata.yaml#Configure-Libhtp]], in the "libhtp" section,
  via the ``response-body-limit`` setting.
  
+http_host and http_raw_host
+----------------
+
+With the ``http_host`` content modifier, it is possible to
+match specifically and only the normalized hostname.
+The ``http_raw_host`` inspects the raw hostname.
+
+The keyword can be used in combination with most of the content modifiers
+like ``distance``, ``offset``, ``within``, etc.
+
+The ``nocase`` keyword ist not allowed anymore. Keep in mind that you need
+to specify a lowercase pattern.
+
  file_data
  ---------
author	Andi <andi@geekosphere.org>
	Thu, 31 Dec 2015 20:58:22 +0000 (21:58 +0100)
committer	Victor Julien <victor@inliniac.net>
	Wed, 28 Sep 2016 11:11:10 +0000 (13:11 +0200)