From: jason taylor Date: Sat, 3 Feb 2024 15:58:07 +0000 (+0000) Subject: doc: update http.response_body keyword information X-Git-Tag: suricata-8.0.0-beta1~1530 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3af98f3b92dd268cf5241bca39979e844d8ccc60;p=thirdparty%2Fsuricata.git doc: update http.response_body keyword information Ticket: 3025 Signed-off-by: jason taylor --- diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index 578c49743e..fb27d5632f 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -906,38 +906,36 @@ Example HTTP Response:: http.response_body ------------------ -With the ``http.response_body`` sticky buffer, it is possible to -match specifically and only on the HTTP response body. The keyword can -be used in combination with all previously mentioned content modifiers -like ``distance``, ``offset``, ``nocase``, ``within``, etc. +The ``http.response_body`` keyword is used to match on the HTTP response body. -Note: how much of the response/server body is inspected is controlled -in your :ref:`libhtp configuration section -` via the ``response-body-limit`` -setting. +It is possible to use any of the :doc:`payload-keywords` with the +``http.response_body`` keyword. -Notes -~~~~~ +Example HTTP Response:: -- Using ``http.response_body`` is similar to having content matches - that come after ``file.data`` except that it doesn't permanently - (unless reset) set the detection pointer to the beginning of the - server response body. i.e. it is not a sticky buffer. + HTTP/1.1 200 OK + Content-Type: text/html + Server: nginx/0.8.54 -- ``http.response_body`` will match on gzip decoded data just like - ``file.data`` does. + Server response body -- Since ``http.response_body`` matches on a server response, it - can't be used with the ``to_server`` or ``from_client`` flow - directives. +.. container:: example-rule + + alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP Response Body \ + Example"; flow:established,to_client; :example-rule-options:`http.response_body; \ + content:"Server response body";` classtype:bad-unknown; sid:120; rev:1;) -- Corresponding PCRE modifier: ``Q`` +.. note:: ``http.response_body`` will match on gzip decoded data just like + :ref:`file.data` does. -- further notes at the ``file.data`` section below. +.. note:: How much of the response/server body is inspected is controlled + in your :ref:`libhtp configuration section + ` via the ``response-body-limit`` + setting. -``http.response_body`` replaces the previous keyword name: ```http_server_body``. You may continue -+to use the previous name, but it's recommended that rules be converted to use -+the new name. +.. note:: ``http.response_body`` replaces the previous keyword name, + ``http_server_body``. ``http_server_body`` can still be used but it is + recommended that rules be converted to use ``http.response_body``. .. _http.server: