From 4f7dc4f136cec13c820ff062ad5ef76dca5d2a87 Mon Sep 17 00:00:00 2001
From: jason taylor <jtfas90@gmail.com>
Date: Wed, 18 Dec 2019 09:59:23 -0500
Subject: [PATCH] doc: add bsize documentation and rule example

Signed-off-by: jason taylor <jtfas90@gmail.com>
---
 doc/userguide/rules/payload-keywords.rst | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst
index 4cdf124d44..f071c76d81 100644
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -264,6 +264,21 @@ You can also use the negation (!) before isdataat.
 
 .. image:: payload-keywords/isdataat1.png
 
+bsize
+-----
+
+With the bsize keyword, you can match on the length of the buffer. This adds precision to the content match, previously this could have been done with isdataat.
+
+Format::
+
+  bsize:<number>;
+
+Example of bsize in a rule:
+
+.. container:: example-rule
+
+   alert dns any any -> any any (msg:"test bsize rule"; dns.query; content:"google.com"; bsize:10; sid:123; rev:1;)
+
 dsize
 -----