doc: update file.magic information

Signed-off-by: jason taylor <jtfas90@gmail.com>

diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst
index ec7fd1ab6a6c5f4d1e15edf4154622ba25471c24..a9b24deafe07caa1018ea592e618ae1381aa1738 100644 (file)
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@@ -67,21 +67,33 @@ Example::
 
   file.name; content:".pd";
 
-filemagic
----------
+file.magic
+----------
 
 Matches on the information libmagic returns about a file.
 
-Syntax::
+Example::
 
-  filemagic:<string>;
+  file.magic; content:"executable for MS Windows";
+
+**Note** ``filemagic`` can still be used. The only difference between
+``file.magic`` and ``file.magic`` is that ``filemagic`` assumes ``nocase``
+by default. In the example below the two signatures are considered
+the same.
 
 Example::
 
   filemagic:"executable for MS Windows";
 
-Note: as libmagic versions differ between installations, the returned
-information may also slightly change. See also #437.
+  file.magic; content:"executable for MS Windows"; nocase;
+
+Note: Suricata currently uses its underlying operating systems
+version/implementation of libmagic. Different versions and
+implementations of libmagic do not return the same information.
+Additionally there are varying Suricata performance impacts
+based on the version and implementation of libmagic.
+Additional information about Suricata and libmagic can be found
+here: https://redmine.openinfosecfoundation.org/issues/437
 
 ``file.magic`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.