doc: update file.name keyword information

Ticket: 3025 Signed-off-by: jason taylor <jtfas90@gmail.com>
1 year ago · 8b3db3c3b5
parent 49dba7bb94
commit 8b3db3c3b5
1 changed files with 15 additions and 5 deletions
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@ -1236,11 +1236,21 @@ setting.
 file.name
 ---------

-The ``file.name`` keyword can be used at the HTTP application level.
+The ``file.name`` keyword can be used with HTTP requests.

-Example::
+It is possible to use any of the :doc:`payload-keywords` with the
+``file.name`` keyword.
+
+Example HTTP Request::

-  alert http any any -> any any (msg:"http layer file.name keyword usage"; \
-  file.name; content:"picture.jpg"; classtype:bad-unknown; sid:1; rev:1;)
+  GET /picture.jpg HTTP/1.1
+  User-Agent: Mozilla/5.0
+  Host: suricata.io

-For additional information on the ``file.name`` keyword, see :doc:`file-keywords`.
+.. container:: example-rule
+
+  alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP file.name Example"; \
+  flow:established,to_client; :example-rule-options:`file.name; \
+  content:"picture.jpg";` classtype:bad-unknown; sid:129; rev:1;)
+
+.. note:: Additional information can be found at :doc:`file-keywords`