doc: add endswith keyword docs

author Travis Green <travis@travisgreen.net>

Thu, 5 Sep 2019 18:33:55 +0000 (11:33 -0700)

committer Victor Julien <victor@inliniac.net>

Fri, 6 Sep 2019 18:40:50 +0000 (20:40 +0200)
author Travis Green <travis@travisgreen.net>
Thu, 5 Sep 2019 18:33:55 +0000 (11:33 -0700)
committer Victor Julien <victor@inliniac.net>
Fri, 6 Sep 2019 18:40:50 +0000 (20:40 +0200)
diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst

index 59f8d2d877c2c843693fb79a2b42fd809413b4b0..4cdf124d4488226f477512d7afcfa71d244c7fcf 100644 (file)
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -144,6 +144,24 @@ Example::
  ``startswith`` cannot be mixed with ``depth``, ``offset``, ``within`` or
  ``distance`` for the same pattern.
  
+endswith
+--------
+
+The ``endswith`` keyword is similar to ``isdataat:!1,relative;``. It takes no
+arguments and must follow a ``content`` keyword. It modifies the ``content`` to
+match exactly at the end of a buffer.
+
+Example::
+
+    content:".php"; endswith;
+
+``endswith`` is a short hand notation for::
+
+    content:".php"; isdatat:!1,relative;
+
+``endswith`` cannot be mixed with ``offset``, ``within`` or
+``distance`` for the same pattern.
+
  offset
  ------
author	Travis Green <travis@travisgreen.net>
	Thu, 5 Sep 2019 18:33:55 +0000 (11:33 -0700)
committer	Victor Julien <victor@inliniac.net>
	Fri, 6 Sep 2019 18:40:50 +0000 (20:40 +0200)