From: jason taylor <jtfas90@gmail.com>
Date: Sat, 3 Feb 2024 16:08:59 +0000 (+0000)
Subject: doc: update http.location keyword information
X-Git-Tag: suricata-8.0.0-beta1~1528
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=739dfe5e5efa8bed3821972f6d85840d9d839b2c;p=thirdparty%2Fsuricata.git

doc: update http.location keyword information

Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
---

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index cd8d1d8c64..316afaf483 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -966,13 +966,26 @@ Example HTTP Response::
 http.location
 -------------
 
-Sticky buffer to match on the HTTP Location headers. Only contains the
-header value. The \\r\\n after the header are not part of the buffer.
+The ``http.location`` keyword is used to match on the HTTP response location
+header contents.
 
-Example::
+It is possible to use any of the :doc:`payload-keywords` with the
+``http.location`` keyword.
+
+Example HTTP Response::
+
+  HTTP/1.1 200 OK
+  Content-Type: text/html
+  Server: nginx/0.8.54
+  Location: suricata.io
+
+.. container:: example-rule
+
+  alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP Location Example"; \
+  flow:established,to_client; :example-rule-options:`http.location; \
+  content:"suricata.io";` bsize:11; classtype:bad-unknown; sid:122; rev:1;)
 
-    alert http any any -> any any (flow:to_client; \
-            http.location; content:"http://www.google.com"; sid:1;)
+.. note:: ``http.location`` does not include the leading space or trailing \\r\\n
 
 .. _http.host: