doc: update http.accept_lang keyword information

Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index 76c15845962b893ca4c3ef39bac434197b465c3f..e13b66c8ea3b15d901573857b106793d1d9e2221 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -502,12 +502,27 @@ Example HTTP Request::
 http.accept_lang
 ----------------
 
-Sticky buffer to match on the HTTP Accept-Language header. Only contains the
-header value. The \\r\\n after the header are not part of the buffer.
+The ``http.accept_lang`` keyword is used to match on the Accept-Language field
+that can be present in HTTP request headers.
 
-Example::
+It is possible to use any of the :doc:`payload-keywords` with the
+``http.accept_lang`` keyword.
+
+Example HTTP Request::
+
+  GET /index.html HTTP/1.1
+  User-Agent: Mozilla/5.0
+  Accept-Language: en-US
+  Host: suricata.io
+
+.. container:: example-rule
+
+  alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Accept-Encoding Example"; \
+  flow:established,to_server; :example-rule-options:`http.accept_lang; \
+  content:"en-US";` bsize:5; classtype:bad-unknown; sid:93; rev:1;)
 
-    alert http any any -> any any (http.accept_lang; content:"en-us"; sid:1;)
+.. note:: ``http.accept_lang`` does not include the leading space or
+  trailing \\r\\n
 
 .. _http.connection: