From: jason taylor <jtfas90@gmail.com>
Date: Mon, 17 Jul 2023 16:36:58 +0000 (+0000)
Subject: doc: update file.name keyword information
X-Git-Tag: suricata-6.0.14~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5bff34860f7098b6dc9b9f057f66d23f76583ed0;p=thirdparty%2Fsuricata.git

doc: update file.name keyword information

Signed-off-by: jason taylor <jtfas90@gmail.com>
---

diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst
index 2d796bee73..2992992c72 100644
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@@ -5,18 +5,28 @@ Suricata comes with several rule keywords to match on various file
 properties. They depend on properly configured
 :doc:`../file-extraction/file-extraction`.
 
-filename
---------
+file.name
+---------
 
-Matches on the file name.
+``file.name`` is a sticky buffer that is used to look at filenames
+that are seen in flows that Suricata evaluates. The various payload
+keywords can be used (e.g. ``startswith``, ``nocase`` and ``bsize``)
+with ``file.name``.
 
-Syntax::
+Example::
 
-  filename:<string>;
+  file.name; content:"examplefilename";
+
+**Note** ``filename`` can still be used. A notable difference between
+``file.name`` and ``filename`` is that ``filename`` assumes ``nocase``
+by default. In the example below the two signatures are considered
+the same.
 
 Example::
 
-  filename:"secret";
+  filename:"examplefilename";
+
+  file.name; content:"examplefilename"; nocase;
 
 fileext
 --------