detect/transform: add dotprefix keyword to doc

diff --git a/doc/userguide/rules/transforms.rst b/doc/userguide/rules/transforms.rst
index 79c5be9c5fc59d8fb13a06b6dac229270c32bf6b..204aaef60e923c32e22e33ee1289b4e26842e9c3 100644 (file)
--- a/doc/userguide/rules/transforms.rst
+++ b/doc/userguide/rules/transforms.rst
@@ -21,6 +21,37 @@ Example::
 
 .. note:: not all sticky buffers support transformations yet
 
+dotprefix
+---------
+
+Takes the buffer, and prepends a ``.`` character to help facilitate concise domain checks. For example,
+an input string of ``hello.google.com`` would be modified and become ``.hello.google.com``. Additionally,
+adding the dot allows ``google.com`` to match against ``content:".google.com"``
+
+Example::
+
+    alert http any any -> any any (dns.query; dotprefix; \
+        content:".microsoft.com"; sid:1;)
+
+This example will match on ``windows.update.microsoft.com`` and
+``maps.microsoft.com.au`` but not ``windows.update.fakemicrosoft.com``.
+
+This rule can be used to match on the domain only; example::
+
+    alert http any any -> any any (dns.query; dotprefix; \
+        content:".microsoft.com"; endswith; sid:1;)
+
+This example will match on ``windows.update.microsoft.com`` but not
+``windows.update.microsoft.com.au``.
+
+Finally, this rule can be used to match on the TLD only; example::
+
+    alert http any any -> any any (dns.query; dotprefix; \
+        content:".co.uk"; endswith; sid:1;)
+
+This example will match on ``maps.google.co.uk`` but not
+``maps.google.co.nl``.
+
 strip_whitespace
 ----------------