From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 26 Mar 2025 15:21:56 +0000 (+0100)
Subject: doc/http2: explicit behavior for some http keywords
X-Git-Tag: suricata-8.0.0-beta1~197
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=879a733c12cabad99ca278293bee65ba33500f37;p=thirdparty%2Fsuricata.git

doc/http2: explicit behavior for some http keywords

HTTP/2 does not define a way to carry the version or reason phrase
that is included in an HTTP/1.1 status line.

Ticket: 6548
---

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index a453846bcb..a26d3cacb0 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -796,6 +796,9 @@ http.stat_msg
 The ``http.stat_msg`` keyword is used to match on the HTTP status message
 that can be present in an HTTP response.
 
+For HTTP/2, an empty buffer is returned by Suricata.
+See rfc 7540 section 8.1.2.4. about Response Pseudo-Header Fields.
+
 It is possible to use any of the :doc:`payload-keywords` with the
 ``http.stat_msg`` keyword.
 
@@ -1216,6 +1219,9 @@ http.protocol
 The ``http.protocol`` keyword is used to match on the protocol field that is
 contained in HTTP requests and responses.
 
+For HTTP/2, the constant string "HTTP/2" is used.
+See rfc 7540 section 8.1.2.4. about Response Pseudo-Header Fields.
+
 It is possible to use any of the :doc:`payload-keywords` with the
 ``http.protocol`` keyword.