From 5bff34860f7098b6dc9b9f057f66d23f76583ed0 Mon Sep 17 00:00:00 2001 From: jason taylor Date: Mon, 17 Jul 2023 16:36:58 +0000 Subject: [PATCH] doc: update file.name keyword information Signed-off-by: jason taylor --- doc/userguide/rules/file-keywords.rst | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst index 2d796bee73..2992992c72 100644 --- a/doc/userguide/rules/file-keywords.rst +++ b/doc/userguide/rules/file-keywords.rst @@ -5,18 +5,28 @@ Suricata comes with several rule keywords to match on various file properties. They depend on properly configured :doc:`../file-extraction/file-extraction`. -filename --------- +file.name +--------- -Matches on the file name. +``file.name`` is a sticky buffer that is used to look at filenames +that are seen in flows that Suricata evaluates. The various payload +keywords can be used (e.g. ``startswith``, ``nocase`` and ``bsize``) +with ``file.name``. -Syntax:: +Example:: - filename:; + file.name; content:"examplefilename"; + +**Note** ``filename`` can still be used. A notable difference between +``file.name`` and ``filename`` is that ``filename`` assumes ``nocase`` +by default. In the example below the two signatures are considered +the same. Example:: - filename:"secret"; + filename:"examplefilename"; + + file.name; content:"examplefilename"; nocase; fileext -------- -- 2.47.2