userguide: update ttl keyword information

Signed-off-by: jason taylor <jtfas90@gmail.com>

diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst
index 5e4e3f994a02031d04cd7663dea7c49664695c23..de7c4a394b469e7a11d21a2bb562f103168adc7e 100644 (file)
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -1,4 +1,3 @@
-
 .. role:: example-rule-emphasis
 
 IP Keywords
@@ -10,7 +9,7 @@ ttl
 The ttl keyword is used to check for a specific IP time-to-live value
 in the header of a packet. The format is::
 
-  ttl:<number>
+  ttl:<number>;
 
 For example::
 
@@ -20,7 +19,7 @@ At the end of the ttl keyword you can enter the value on which you
 want to match. The Time-to-live value determines the maximal amount
 of time a packet can be in the Internet-system. If this field is set
 to 0, then the packet has to be destroyed. The time-to-live is based
-on hop count. Each hop/router the packet passes subtracts one of the
+on hop count. Each hop/router the packet passes subtracts one from the
 packet TTL counter. The purpose of this mechanism is to limit the
 existence of packets so that packets can not end up in infinite
 routing loops.
@@ -29,7 +28,8 @@ Example of the ttl keyword in a rule:
 
 .. container:: example-rule
 
-    alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; :example-rule-emphasis:`ttl:0;` reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9;)
+    alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Packet With TTL 0";
+    :example-rule-emphasis:`ttl:0;` classtype:misc-activity; sid:1; rev:1;)
 
 ipopts
 ^^^^^^