From 008cc78a03f956128cf2aa7d50c62c8e5c05e9b0 Mon Sep 17 00:00:00 2001
From: jason taylor <jtfas90@gmail.com>
Date: Tue, 18 Jul 2023 21:17:31 +0000
Subject: [PATCH] doc: update fileext keyword information

Signed-off-by: jason taylor <jtfas90@gmail.com>
---
 doc/userguide/rules/file-keywords.rst | 34 +++++++++++++++++++++++----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/doc/userguide/rules/file-keywords.rst b/doc/userguide/rules/file-keywords.rst
index 9f2ce750a9..ec7fd1ab6a 100644
--- a/doc/userguide/rules/file-keywords.rst
+++ b/doc/userguide/rules/file-keywords.rst
@@ -31,17 +31,41 @@ Example::
   file.name; content:"examplefilename"; nocase;
 
 fileext
--------
+--------
 
-Matches on the extension of a file name.
+``fileext`` is used to look at individual file extensions that are
+seen in flows that Suricata evaluates.
 
-Syntax::
+Example::
+
+  fileext:"pdf";
+
+**Note:** ``fileext`` does not allow partial matches. For example, if
+a PDF file (.pdf) is seen by a Suricata signature with
+fileext:"pd"; the signature will not produce an alert.
+
+**Note:** ``fileext`` assumes ``nocase`` by default. This means
+that a file with the extension .PDF will be seen the same as if
+the file had an extension of .pdf.
+
+**Note:** ``fileext`` and ``file.name`` can both be used to match on
+file extensions. In the example below the two signatures are
+considered the same.
+
+Example::
+
+  fileext:"pdf";
+
+  file.name; content:".pdf"; nocase; endswith;
 
-  fileext:<string>;
+**Note**: While``fileeext`` and ``file.name`` can both be used
+to match on file extensions, ``file.name`` allows for partial
+matching on file extensions. The following would match on a file
+with the extension of .pd as well as .pdf.
 
 Example::
 
-  fileext:"jpg";
+  file.name; content:".pd";
 
 filemagic
 ---------