From 6251deae21c3c75e68f0a784e57f28c5bcf01bb5 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 12 Mar 2020 09:11:52 +0100
Subject: [PATCH] doc: adds doc for ipv4.hdr signature keyword

---
 doc/userguide/rules/header-keywords.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst
index d84009b71e..d1d2d7b887 100644
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -111,6 +111,20 @@ The named variant of that example would be::
 
     ip_proto:PIM
 
+ipv4.hdr
+^^^^^^^^
+
+Sticky buffer to match on the whole IPv4 header.
+
+Example rule:
+
+.. container:: example-rule
+
+    alert ip any any -> any any (:example-rule-emphasis:`ipv4.hdr; content:"|3A|"; offset:9; depth:1;` sid:1234; rev:5;)
+
+This example looks if byte 9 of IPv4 header has value 3A.
+That means that the IPv4 protocol is ICMPv6.
+
 ipv6.hdr
 ^^^^^^^^
 
-- 
2.47.2