From: jason taylor <jtfas90@gmail.com>
Date: Fri, 7 Oct 2022 20:44:14 +0000 (+0000)
Subject: userguide: update ipv6.hdr keyword information
X-Git-Tag: suricata-7.0.0-rc1~386
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cfd0da133ee4a343476ba65dd8dbd002ca8d59fa;p=thirdparty%2Fsuricata.git

userguide: update ipv6.hdr keyword information

Signed-off-by: jason taylor <jtfas90@gmail.com>
---

diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst
index 29f6448798..c0e033542a 100644
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -128,7 +128,16 @@ the IPv4 protocol is TCP.
 ipv6.hdr
 ^^^^^^^^
 
-Sticky buffer to match on the whole IPv6 header.
+Sticky buffer to match on content contained within an IPv6 header.
+
+Example rule:
+
+.. container:: example-rule
+
+    alert ip any any -> any any (msg:"IPv6 header keyword example"; :example-rule-emphasis:`ipv6.hdr; content:"|06|"; offset:6; depth:1;` sid:1; rev:1;)
+
+This example looks if byte 7 of IP64 header has value 06, which indicates that
+the IPv6 protocol is TCP.
 
 id
 ^^