From 75c4cdfa1c3196f6b56bf03583e5157c7216df2f Mon Sep 17 00:00:00 2001
From: jason taylor <jtfas90@gmail.com>
Date: Wed, 3 Jan 2024 22:04:23 +0000
Subject: [PATCH] doc: update http.cookie keyword information

Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
---
 doc/userguide/rules/http-keywords.rst | 36 +++++++++++----------------
 1 file changed, 15 insertions(+), 21 deletions(-)

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index efcb7159d6..733ef7f6f1 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -368,34 +368,28 @@ Abnormal HTTP Header Example::
 http.cookie
 -----------
 
-With the ``http.cookie`` sticky buffer it is possible to match
-specifically on the HTTP cookie contents. Keywords like ``depth``,
-``distance``, ``offset``, ``nocase`` and ``within`` can be used
-with ``http.cookie``.
+The ``http.cookie`` keyword is used to match on the cookie field that can be
+present in HTTP request (Cookie) or HTTP response (Set-Cookie) headers.
 
-Note that cookies are passed in HTTP headers but Suricata extracts
-the cookie data to ``http.cookie`` and will not match cookie content
-put in the ``http.header`` sticky buffer.
-
-Example of a cookie in a HTTP request:
+It is possible to use any of the :doc:`payload-keywords` with both ``http.header``
+keywords.
 
-Examples::
+.. note:: Cookies are passed in HTTP headers but Suricata extracts the cookie 
+  data to ``http.cookie`` and will not match cookie content put in the 
+  :ref:`http.header` sticky buffer.
 
-    GET / HTTP/1.1
-    User-Agent: Mozilla/5.0
-    Host: www.example.com
-    Cookie: PHPSESSIONID=1234
-    Connection: close
+Example HTTP Request::
 
-Example ``http.cookie`` keyword in a signature:
+  GET /index.html HTTP/1.1
+  User-Agent: Mozilla/5.0
+  Cookie: PHPSESSION=123
+  Host: suricata.io
 
 .. container:: example-rule
 
-    alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Request
-    with Cookie"; flow:established,to_server; http.method; content:"GET";
-    http.uri; content:"/"; fast_pattern; :example-rule-emphasis:`http.cookie;
-    content:"PHPSESSIONID="; startswith;` classtype:bad-unknown; sid:123;
-    rev:1;)
+  alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Cookie Example"; \
+  flow:established,to_server; :example-rule-emphasis:`http.cookie; \
+  content:"PHPSESSIONID=123";` bsize:14; classtype:bad-unknown; sid:80; rev:1;)
 
 .. _http.user_agent:
 
-- 
2.47.2