doc: update file.name keyword information

author jason taylor <jtfas90@gmail.com>

Mon, 17 Jul 2023 16:36:58 +0000 (16:36 +0000)

committer Victor Julien <victor@inliniac.net>

Mon, 7 Aug 2023 18:40:58 +0000 (20:40 +0200)
author jason taylor <jtfas90@gmail.com>
Mon, 17 Jul 2023 16:36:58 +0000 (16:36 +0000)
committer Victor Julien <victor@inliniac.net>
Mon, 7 Aug 2023 18:40:58 +0000 (20:40 +0200)
diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst

index 199bf5f6411c41acce69e382c6a346bed90d1c3e..9f2ce750a99128c68478deadb8c85f65b0242065 100644 (file)
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@@ -5,20 +5,30 @@ Suricata comes with several rule keywords to match on various file
  properties. They depend on properly configured
  :doc:`../file-extraction/file-extraction`.
  
-filename
---------
+file.name
+---------
  
-Matches on the file name.
+``file.name`` is a sticky buffer that is used to look at filenames
+that are seen in flows that Suricata evaluates. The various payload
+keywords can be used (e.g. ``startswith``, ``nocase`` and ``bsize``)
+with ``file.name``.
  
-Syntax::
+Example::
  
-  filename:<string>;
+  file.name; content:"examplefilename";
+
+``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+
+**Note** ``filename`` can still be used. A notable difference between
+``file.name`` and ``filename`` is that ``filename`` assumes ``nocase``
+by default. In the example below the two signatures are considered
+the same.
  
  Example::
  
-  filename:"secret";
+  filename:"examplefilename";
  
-``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+  file.name; content:"examplefilename"; nocase;
  
  fileext
  -------
author	jason taylor <jtfas90@gmail.com>
	Mon, 17 Jul 2023 16:36:58 +0000 (16:36 +0000)
committer	Victor Julien <victor@inliniac.net>
	Mon, 7 Aug 2023 18:40:58 +0000 (20:40 +0200)