doc: update file.magic information

Signed-off-by: jason taylor <jtfas90@gmail.com>

diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst
index ede6ba65ce6e7792b7c756491507e1e6a542ad1d..f33aba05d2d82c781304cb9696af68d916aaa4e8 100644 (file)
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@@ -31,21 +31,33 @@ Example::
 
   fileext:"jpg";
 
-filemagic
----------
+file.magic
+----------
 
 Matches on the information libmagic returns about a file.
 
-Syntax::
+Example::
+
+  file.magic; content:"executable for MS Windows";
 
-  filemagic:<string>;
+**Note** ``filemagic`` can still be used. The only difference between
+``file.magic`` and ``file.magic`` is that ``filemagic`` assumes ``nocase``
+by default. In the example below the two signatures are considered
+the same.
 
 Example::
 
   filemagic:"executable for MS Windows";
 
-Note: as libmagic versions differ between installations, the returned
-information may also slightly change. See also #437.
+  file.magic; content:"executable for MS Windows"; nocase;
+
+Note: Suricata currently uses its underlying operating systems
+version/implementation of libmagic. Different versions and
+implementations of libmagic do not return the same information.
+Additionally there are varying Suricata performance impacts
+based on the version and implementation of libmagic.
+Additional information about Suricata and libmagic can be found
+here: https://redmine.openinfosecfoundation.org/issues/437
 
 filestore
 ---------