From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Wed, 27 Feb 2019 23:58:44 +0000 (-0500)
Subject: doc: add http.location and http.server
X-Git-Tag: suricata-5.0.0-beta1~112
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=74cd6a9ee8c8c64063e1c8fcbcfc0002df629e26;p=thirdparty%2Fsuricata.git

doc: add http.location and http.server
---

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index e43c292bf7..2f8c041e34 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -60,6 +60,8 @@ http_header                    Modifier                 Both
 http_raw_header                Modifier                 Both
 http_cookie                    Modifier                 Both
 http_server_body               Modifier                 Response
+http.server                    Modifier                 Response
+http.location                  Modifier                 Response
 file_data                      Sticky Buffer            Response
 http_content_type              Sticky Buffer            Both
 http_content_len               Sticky Buffer            Both
@@ -590,6 +592,29 @@ Notes
 
 -  further notes at the ``file_data`` section below.
 
+http.server
+-----------
+
+Sticky buffer to match on the HTTP Server headers. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+    alert http any any -> any any (flow:to_client; \
+            http.server; content:"Microsoft-IIS/6.0"; sid:1;)
+
+http.location
+-------------
+
+Sticky buffer to match on the HTTP Location headers. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+    alert http any any -> any any (flow:to_client; \
+            http.location; content:"http://www.google.com"; sid:1;)
+
+
 http_host and http_raw_host
 ---------------------------