From 245a89b7e74cfa4d60ab4f93d9708dd1af7d803f Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 5 Apr 2017 10:33:23 +0200
Subject: [PATCH] doc: http keywords update

---
 doc/userguide/rules/http-keywords.rst | 168 +++++++++++++++++++++++++-
 1 file changed, 167 insertions(+), 1 deletion(-)

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index 4418ab8983..b23c7acbf1 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -20,7 +20,7 @@ Example::
 
 In the above example the pattern 'index.php' is modified to inspect the HTTP uri buffer.
 
-The more recent type is called  the 'sticky buffer'. It places the buffer name first and all keywords following it apply to that buffer.
+The more recent type is called the 'sticky buffer'. It places the buffer name first and all keywords following it apply to that buffer.
 
 Example::
 
@@ -44,6 +44,16 @@ http_cookie                    Modifier                 Both
 http_user_agent                Modifier                 Request
 http_host                      Modifier                 Request
 http_raw_host                  Modifier                 Request
+http_accept                    Sticky Buffer            Request
+http_accept_lang               Sticky Buffer            Request
+http_accept_enc                Sticky Buffer            Request
+http_referer                   Sticky Buffer            Request
+http_connection                Sticky Buffer            Request
+http_content_type              Sticky Buffer            Both
+http_content_len               Sticky Buffer            Both
+http_start                     Sticky Buffer            Both
+http_protocol                  Sticky Buffer            Both
+http_header_names              Sticky Buffer            Both
 ============================== ======================== ==================
 
 The following response keywords are available:
@@ -59,6 +69,11 @@ http_raw_header                Modifier                 Both
 http_cookie                    Modifier                 Both
 http_server_body               Modifier                 Response
 file_data                      Sticky Buffer            Response
+http_content_type              Sticky Buffer            Both
+http_content_len               Sticky Buffer            Both
+http_start                     Sticky Buffer            Both
+http_protocol                  Sticky Buffer            Both
+http_header_names              Sticky Buffer            Both
 ============================== ======================== ==================
 
 It is important to understand the structure of HTTP requests and
@@ -219,6 +234,17 @@ Example of ``urilen`` in a signature:
 You can also append ``norm`` or ``raw`` to define what sort of buffer you want
 to use (normalized or raw buffer).
 
+http_protocol
+-------------
+
+The ``http_protocol`` inspects the protocol field from the HTTP request or
+response line. If the request line is 'GET / HTTP/1.0\r\n', then this buffer
+will contain 'HTTP/1.0'.
+
+Example::
+
+    alert http any any -> any any (flow:to_server; http_protocol; content:"HTTP/1.0"; sid:1;)
+
 http_request_line
 -----------------
 
@@ -301,6 +327,146 @@ Example of the purpose of ``http_user_agent``:
 
 .. image:: http-keywords/user_agent_match.png
 
+http_accept
+-----------
+
+Sticky buffer to match on the HTTP Accept header. Only contains the header
+value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+    alert http any any -> any any (http_accept; content:"image/gif"; sid:1;)
+
+http_accept_enc
+---------------
+
+Sticky buffer to match on the HTTP Accept-Encoding header. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+    alert http any any -> any any (http_accept_enc; content:"gzip"; sid:1;)
+
+
+http_accept_lang
+----------------
+
+Sticky buffer to match on the HTTP Accept-Language header. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+    alert http any any -> any any (http_accept_lang; content:"en-us"; sid:1;)
+
+
+http_connection
+---------------
+
+Sticky buffer to match on the HTTP Connection header. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+    alert http any any -> any any (http_connection; content:"keep-alive"; sid:1;)
+
+
+http_content_type
+-----------------
+
+Sticky buffer to match on the HTTP Content-Type headers. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Use flow:to_server or flow:to_client to force inspection of request or response.
+
+Examples::
+
+    alert http any any -> any any (flow:to_server; \
+            http_content_type; content:"x-www-form-urlencoded"; sid:1;)
+
+    alert http any any -> any any (flow:to_client; \
+            http_content_type; content:"text/javascript"; sid:2;)
+
+
+http_content_len
+----------------
+
+Sticky buffer to match on the HTTP Content-Length headers. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Use flow:to_server or flow:to_client to force inspection of request or response.
+
+Examples::
+
+    alert http any any -> any any (flow:to_server; \
+            http_content_len; content:"666"; sid:1;)
+
+    alert http any any -> any any (flow:to_client; \
+            http_content_len; content:"555"; sid:2;)
+
+To do a numeric inspection of the content length, ``byte_test`` can be used.
+
+Example, match if C-L is equal to or bigger than 8079::
+
+    alert http any any -> any any (flow:to_client; \
+            http_content_len; byte_test:0,>=,8079,0,string,dec; sid:3;)
+
+http_referer
+---------------
+
+Sticky buffer to match on the HTTP Referer header. Only contains the
+header value. The \\r\\n after the header are not part of the buffer.
+
+Example::
+
+    alert http any any -> any any (http_referer; content:".php"; sid:1;)
+
+http_start
+----------
+
+Inspect the start of a HTTP request or response. This will contain the
+request/reponse line plus the request/response headers. Use flow:to_server
+or flow:to_client to force inspection of request or response.
+
+Example::
+
+    alert http any any -> any any (http_start; content:"HTTP/1.1|0d 0a|User-Agent"; sid:1;)
+
+The buffer contains the normalized headers and is terminated by an extra
+\\r\\n to indicate the end of the headers.
+
+http_header_names
+-----------------
+
+Inspect a buffer only containing the names of the HTTP headers. Useful
+for making sure a header is not present or testing for a certain order
+of headers.
+
+Buffer starts with a \\r\\n and ends with an extra \\r\\n.
+
+Example buffer::
+
+    \\r\\nHost\\r\\n\\r\\n
+
+Example rule::
+
+    alert http any any -> any any (http_header_names; content:"|0d 0a|Host|0d 0a|"; sid:1;)
+
+Example to make sure *only* Host is present::
+
+    alert http any any -> any any (http_header_names; \
+            content:"|0d 0a 0d 0a|Host|0d 0a 0d 0a|"; sid:1;)
+
+Example to make sure *User-Agent* is directly after *Host*::
+
+    alert http any any -> any any (http_header_names; \
+            content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|"; sid:1;)
+
+Example to make sure *User-Agent* is after *Host*, but not necessarily directly after::
+
+    alert http any any -> any any (http_header_names; \
+            content:"|0d 0a|Host|0d 0a|"; content:"|0a 0d|User-Agent|0d 0a|"; \
+            distance:-2; sid:1;)
+
 http_client_body
 ----------------