doc: update http.referer keyword information

author jason taylor <jtfas90@gmail.com>

Wed, 31 Jan 2024 22:33:01 +0000 (22:33 +0000)

committer Victor Julien <victor@inliniac.net>

Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)
author jason taylor <jtfas90@gmail.com>
Wed, 31 Jan 2024 22:33:01 +0000 (22:33 +0000)
committer Victor Julien <victor@inliniac.net>
Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)
diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst

index 2e18ddbf57fa35427d79a0af183118be46485e2e..50aac6eacd35c1326d1aa7c127c0fb0a593d9b56 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -649,14 +649,29 @@ than 100 we could use the following signature.
  .. _http.referer:
  
  http.referer
----------------
+------------
  
-Sticky buffer to match on the HTTP Referer header. Only contains the
-header value. The \\r\\n after the header are not part of the buffer.
+The ``http.referer`` keyword is used to match on the Referer field that
+can be present in HTTP request headers.
  
-Example::
+It is possible to use any of the :doc:`payload-keywords` with the
+``http.referer`` keyword.
+
+Example HTTP Request::
+
+  GET / HTTP/1.1
+  Host: suricata.io
+  Referer: https://suricata.io
  
-    alert http any any -> any any (http.referer; content:".php"; sid:1;)
+.. container:: example-rule
+
+  alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Referer Example"; \
+  flow:established,to_server; :example-rule-options:`http.referer; \
+  content:"http|3a 2f 2f|suricata.io";` bsize:19; classtype:bad-unknown; \
+  sid:200; rev:1;)
+
+.. note:: ``http.referer`` does not include the leading space or trailing
+   \\r\\n
  
  .. _http.start:
author	jason taylor <jtfas90@gmail.com>
	Wed, 31 Jan 2024 22:33:01 +0000 (22:33 +0000)
committer	Victor Julien <victor@inliniac.net>
	Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)