From: Giuseppe Longo <glongo@stamus-networks.com>
Date: Thu, 25 Jan 2018 07:58:01 +0000 (+0100)
Subject: doc: update file_data description
X-Git-Tag: suricata-4.1.0-beta1~225
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3209%2Fhead;p=thirdparty%2Fsuricata.git

doc: update file_data description
---

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index f8c80f65a7..56ba020095 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -680,6 +680,26 @@ in your :ref:`libhtp configuration section
 <suricata-yaml-configure-libhtp>` via the ``response-body-limit``
 setting.
 
+If the HTTP body is a flash file compressed with 'deflate' or 'lzma',
+it can be decompressed and ``file_data`` can match on the decompress data.
+Flash decompression must be enabled under ``libhtp`` configuration:
+
+::
+
+    # Decompress SWF files.
+    # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma
+    # compress-depth:
+    # Specifies the maximum amount of data to decompress,
+    # set 0 for unlimited.
+    # decompress-depth:
+    # Specifies the maximum amount of decompressed data to obtain,
+    # set 0 for unlimited.
+    swf-decompression:
+      enabled: yes
+      type: both
+      compress-depth: 0
+      decompress-depth: 0
+
 Notes
 ~~~~~