From: jason taylor Date: Sat, 3 Feb 2024 15:48:25 +0000 (+0000) Subject: doc: update http.response_line keyword information X-Git-Tag: suricata-8.0.0-beta1~1531 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64760e2e75b90cd9db01037dbba2fbeb162bf1a0;p=thirdparty%2Fsuricata.git doc: update http.response_line keyword information Ticket: 3025 Signed-off-by: jason taylor --- diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index a6138e2bb2..578c49743e 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -881,11 +881,25 @@ Example HTTP Response:: http.response_line ------------------ -The ``http.response_line`` forces the whole HTTP response line to be inspected. +The ``http.response_line`` keyword is used to match on the entire HTTP +response line. -Example:: +It is possible to use any of the :doc:`payload-keywords` with the +``http.response_line`` keyword. + +Example HTTP Response:: + + HTTP/1.1 200 OK + Content-Type: text/html + Server: nginx/0.8.54 + +.. container:: example-rule + + alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP Response Line \ + Example"; flow:established,to_client; :example-rule-options:`http.response_line; \ + content:"HTTP/1.1 200 OK";` classtype:bad-unknown; sid:119; rev:1;) - alert http any any -> any any (http.response_line; content:"HTTP/1.0 200 OK"; sid:1;) +.. note:: ``http.response_line`` does not include the trailing \\r\\n .. _http.response_body: