From: jason taylor <jtfas90@gmail.com>
Date: Mon, 17 Jul 2023 16:36:58 +0000 (+0000)
Subject: doc: update file.name keyword information
X-Git-Tag: suricata-7.0.1~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e99b1787a2740a70190be316a5fe22020439e6bf;p=thirdparty%2Fsuricata.git

doc: update file.name keyword information

Signed-off-by: jason taylor <jtfas90@gmail.com>
---

diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst
index 199bf5f641..9f2ce750a9 100644
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@@ -5,20 +5,30 @@ Suricata comes with several rule keywords to match on various file
 properties. They depend on properly configured
 :doc:`../file-extraction/file-extraction`.
 
-filename
---------
+file.name
+---------
 
-Matches on the file name.
+``file.name`` is a sticky buffer that is used to look at filenames
+that are seen in flows that Suricata evaluates. The various payload
+keywords can be used (e.g. ``startswith``, ``nocase`` and ``bsize``)
+with ``file.name``.
 
-Syntax::
+Example::
 
-  filename:<string>;
+  file.name; content:"examplefilename";
+
+``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+
+**Note** ``filename`` can still be used. A notable difference between
+``file.name`` and ``filename`` is that ``filename`` assumes ``nocase``
+by default. In the example below the two signatures are considered
+the same.
 
 Example::
 
-  filename:"secret";
+  filename:"examplefilename";
 
-``file.name`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
+  file.name; content:"examplefilename"; nocase;
 
 fileext
 -------