From: jason taylor <jtfas90@gmail.com>
Date: Tue, 9 Jan 2024 21:53:52 +0000 (+0000)
Subject: doc: update http.accept keyword information
X-Git-Tag: suricata-8.0.0-beta1~1544
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e87d89d2ecaf3f3adbed73b731c6c98914800fe;p=thirdparty%2Fsuricata.git

doc: update http.accept keyword information

Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
---

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index 58ba1f6ec3..398ed8a463 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -446,12 +446,24 @@ Example Duplicate User-Agent Header Request::
 http.accept
 -----------
 
-Sticky buffer to match on the HTTP Accept header. Only contains the header
-value. The \\r\\n after the header are not part of the buffer.
+The ``http.accept`` keyword is used to match on the Accept field that
+can be present in HTTP request headers.
 
-Example::
+It is possible to use any of the :doc:`payload-keywords` with the
+``http.accept`` keyword.
+
+Example HTTP Request::
+
+  GET /index.html HTTP/1.1
+  User-Agent: Mozilla/5.0
+  Accept: */*
+  Host: suricata.io
+
+.. container:: example-rule
 
-    alert http any any -> any any (http.accept; content:"image/gif"; sid:1;)
+  alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Accept Example"; \
+  flow:established,to_server; :example-rule-options:`http.accept; 
+  content:"*/*";` bsize:3; classtype:bad-unknown; sid:91; rev:1;)
 
 .. _http.accept_enc: