From 71d8488cb560205d02c301a26837d4484bfc7f8d Mon Sep 17 00:00:00 2001 From: jason taylor Date: Sat, 3 Feb 2024 15:14:24 +0000 Subject: [PATCH] doc: update http.request_body keyword information Ticket: 3025 Signed-off-by: jason taylor --- doc/userguide/rules/http-keywords.rst | 38 ++++++++++++++++++--------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index 896cbdfb17..22823fd9f9 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -793,24 +793,36 @@ after ``User-Agent`` but not necessarily directly after. http.request_body ----------------- -With the ``http.request_body`` sticky buffer, it is possible to -match specifically and only on the HTTP request body. The keyword can -be used in combination with all previously mentioned content modifiers -like ``distance``, ``offset``, ``nocase``, ``within``, etc. +The ``http.request_body`` keyword is used to match on the HTTP request body +that can be present in an HTTP request. + +It is possible to use any of the :doc:`payload-keywords` with the +``http.request_body`` keyword. + +Example HTTP Request:: + + POST /suricata.php HTTP/1.1 + Content-Type: application/x-www-form-urlencoded + Host: suricata.io + Content-Length: 23 + Connection: Keep-Alive -Example of ``http.request_body`` in a HTTP request: + Suricata request body +.. container:: example-rule -Example of the purpose of ``http.client_body``: + alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP Request Body Example"; \ + flow:established,to_server; :example-rule-options:`http.request_body; \ + content:"Suricata request body";` classtype:bad-unknown; sid:115; rev:1;) -Note: how much of the request/client body is inspected is controlled -in the :ref:`libhtp configuration section -` via the ``request-body-limit`` -setting. +.. note:: How much of the request/client body is inspected is controlled + in the :ref:`libhtp configuration section + ` via the ``request-body-limit`` + setting. -``http.request_body`` replaces the previous keyword name: ```http_client_body``. You may continue -+to use the previous name, but it's recommended that rules be converted to use -+the new name. +.. note:: ``http.request_body`` replaces the previous keyword name, + ``http_client_body``. ``http_client_body`` can still be used but it is + recommended that rules be converted to use ``http.request_body``. .. _http.stat_code: