doc: update http.server keyword information

author jason taylor <jtfas90@gmail.com>

Sat, 3 Feb 2024 16:03:23 +0000 (16:03 +0000)

committer Victor Julien <victor@inliniac.net>

Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)
author jason taylor <jtfas90@gmail.com>
Sat, 3 Feb 2024 16:03:23 +0000 (16:03 +0000)
committer Victor Julien <victor@inliniac.net>
Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)
diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst

index fb27d5632ff746c13c5bae216d213af46bb8e1f2..cd8d1d8c648d93e347ec62ac1a6168662c198558 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -942,13 +942,24 @@ Example HTTP Response::
  http.server
  -----------
  
-Sticky buffer to match on the HTTP Server headers. Only contains the
-header value. The \\r\\n after the header are not part of the buffer.
+The ``http.server`` keyword is used to match on the HTTP response server
+header contents.
  
-Example::
+It is possible to use any of the :doc:`payload-keywords` with the
+``http.server`` keyword.
  
-    alert http any any -> any any (flow:to_client; \
-            http.server; content:"Microsoft-IIS/6.0"; sid:1;)
+Example HTTP Response::
+
+  HTTP/1.1 200 OK
+  Content-Type: text/html
+  Server: nginx/0.8.54
+
+.. container:: example-rule
+
+  alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP Server Example"; flow:established,to_client; :example-rule-options:`http.server; \
+  content:"nginx/0.8.54";` bsize:12; classtype:bad-unknown; sid:121; rev:1;)
+
+.. note:: ``http.server`` does not include the leading space or trailing \\r\\n
  
  .. _http.location:
author	jason taylor <jtfas90@gmail.com>
	Sat, 3 Feb 2024 16:03:23 +0000 (16:03 +0000)
committer	Victor Julien <victor@inliniac.net>
	Wed, 10 Apr 2024 05:03:07 +0000 (07:03 +0200)