From: Andi <andi@geekosphere.org>
Date: Thu, 31 Dec 2015 20:58:22 +0000 (+0100)
Subject: doc: Document http_host and http_raw_host
X-Git-Tag: suricata-3.2beta1~237
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=733f1a5842aa2f3244f7c54319e72c10d99a8539;p=thirdparty%2Fsuricata.git

doc: Document http_host and http_raw_host

Added doc for http_host and http_raw_host as mentioned in https://redmine.openinfosecfoundation.org/issues/756
---

diff --git a/doc/sphinx/rules/http-keywords.rst b/doc/sphinx/rules/http-keywords.rst
index 623a301a8a..afa72218c0 100644
--- a/doc/sphinx/rules/http-keywords.rst
+++ b/doc/sphinx/rules/http-keywords.rst
@@ -286,6 +286,19 @@ Note: how much of the response/server body is inspected is controlled
 in your [[**FIXME** suricata.yaml#Configure-Libhtp]], in the "libhtp" section,
 via the ``response-body-limit`` setting.
 
+http_host and http_raw_host
+----------------
+
+With the ``http_host`` content modifier, it is possible to
+match specifically and only the normalized hostname.
+The ``http_raw_host`` inspects the raw hostname.
+
+The keyword can be used in combination with most of the content modifiers
+like ``distance``, ``offset``, ``within``, etc.
+
+The ``nocase`` keyword ist not allowed anymore. Keep in mind that you need
+to specify a lowercase pattern.
+
 file_data
 ---------