From 566bc0d39cd32c07e259297243a48a07f68ec62d Mon Sep 17 00:00:00 2001 From: jason taylor Date: Sat, 3 Feb 2024 15:26:29 +0000 Subject: [PATCH] doc: update http.stat_msg keyword information Ticket: 3025 Signed-off-by: jason taylor --- doc/userguide/rules/http-keywords.rst | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index 5d67de633b..a6138e2bb2 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -854,15 +854,27 @@ Example HTTP Response:: http.stat_msg ------------- -With the ``http.stat_msg`` sticky buffer, it is possible to match -specifically and only on the HTTP status message buffer. The keyword -can be used in combination with all previously mentioned content -modifiers like ``depth``, ``distance``, ``offset``, ``nocase`` and -``within``. +The ``http.stat_msg`` keyword is used to match on the HTTP status message +that can be present in an HTTP response. + +It is possible to use any of the :doc:`payload-keywords` with the +``http.stat_msg`` keyword. + +Example HTTP Response:: + + HTTP/1.1 200 OK + Content-Type: text/html + Server: nginx/0.8.54 + +.. container:: example-rule + + alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP Stat Message Response \ + Example"; flow:established,to_client; :example-rule-options:`http.stat_msg; \ + content:"OK";` classtype:bad-unknown; sid:118; rev:1;) -Example of ``http.stat_msg`` in a HTTP response: +.. note:: ``http.stat_msg`` does not include the leading space or trailing \\r\\n -Example of the purpose of ``http.stat_msg``: +.. note:: ``http.stat_msg`` will always be empty when used with HTTP/2 .. _http.response_line: