doc/http2: explicit behavior for some http keywords

HTTP/2 does not define a way to carry the version or reason phrase
that is included in an HTTP/1.1 status line.

Ticket: 6548

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index a453846bcbb7d34bee1bf25fdab1b63888ea8f77..a26d3cacb0520118a2522d3b2e794564237d7e18 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -796,6 +796,9 @@ http.stat_msg
 The ``http.stat_msg`` keyword is used to match on the HTTP status message
 that can be present in an HTTP response.
 
+For HTTP/2, an empty buffer is returned by Suricata.
+See rfc 7540 section 8.1.2.4. about Response Pseudo-Header Fields.
+
 It is possible to use any of the :doc:`payload-keywords` with the
 ``http.stat_msg`` keyword.
 
@@ -1216,6 +1219,9 @@ http.protocol
 The ``http.protocol`` keyword is used to match on the protocol field that is
 contained in HTTP requests and responses.
 
+For HTTP/2, the constant string "HTTP/2" is used.
+See rfc 7540 section 8.1.2.4. about Response Pseudo-Header Fields.
+
 It is possible to use any of the :doc:`payload-keywords` with the
 ``http.protocol`` keyword.