From: Travis Green <travis@travisgreen.net>
Date: Thu, 5 Sep 2019 18:33:55 +0000 (-0700)
Subject: doc: add endswith keyword docs
X-Git-Tag: suricata-5.0.0-rc1~83
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f146cdd7e965ef46a4c8ae1052151a57723a589;p=thirdparty%2Fsuricata.git

doc: add endswith keyword docs
---

diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst
index 59f8d2d877..4cdf124d44 100644
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -144,6 +144,24 @@ Example::
 ``startswith`` cannot be mixed with ``depth``, ``offset``, ``within`` or
 ``distance`` for the same pattern.
 
+endswith
+--------
+
+The ``endswith`` keyword is similar to ``isdataat:!1,relative;``. It takes no
+arguments and must follow a ``content`` keyword. It modifies the ``content`` to
+match exactly at the end of a buffer.
+
+Example::
+
+    content:".php"; endswith;
+
+``endswith`` is a short hand notation for::
+
+    content:".php"; isdatat:!1,relative;
+
+``endswith`` cannot be mixed with ``offset``, ``within`` or
+``distance`` for the same pattern.
+
 offset
 ------