doc: update file_data description

author Giuseppe Longo <glongo@stamus-networks.com>

Thu, 25 Jan 2018 07:58:01 +0000 (08:58 +0100)

committer Victor Julien <victor@inliniac.net>

Wed, 31 Jan 2018 13:31:00 +0000 (14:31 +0100)
author Giuseppe Longo <glongo@stamus-networks.com>
Thu, 25 Jan 2018 07:58:01 +0000 (08:58 +0100)
committer Victor Julien <victor@inliniac.net>
Wed, 31 Jan 2018 13:31:00 +0000 (14:31 +0100)
diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst

index f8c80f65a76a468016b55b8714639d7bdf07e5dc..56ba0200950ff04247e129c401655d5bb7a9fc2c 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -680,6 +680,26 @@ in your :ref:`libhtp configuration section
  <suricata-yaml-configure-libhtp>` via the ``response-body-limit``
  setting.
  
+If the HTTP body is a flash file compressed with 'deflate' or 'lzma',
+it can be decompressed and ``file_data`` can match on the decompress data.
+Flash decompression must be enabled under ``libhtp`` configuration:
+
+::
+
+    # Decompress SWF files.
+    # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
+    # compress-depth:
+    # Specifies the maximum amount of data to decompress,
+    # set 0 for unlimited.
+    # decompress-depth:
+    # Specifies the maximum amount of decompressed data to obtain,
+    # set 0 for unlimited.
+    swf-decompression:
+      enabled: yes
+      type: both
+      compress-depth: 0
+      decompress-depth: 0
+
  Notes
  ~~~~~
author	Giuseppe Longo <glongo@stamus-networks.com>
	Thu, 25 Jan 2018 07:58:01 +0000 (08:58 +0100)
committer	Victor Julien <victor@inliniac.net>
	Wed, 31 Jan 2018 13:31:00 +0000 (14:31 +0100)