From 9ddd8cf9e08b65f8c0f418801fef216faadcd5d8 Mon Sep 17 00:00:00 2001 From: jason taylor Date: Sat, 3 Feb 2024 16:03:23 +0000 Subject: [PATCH] doc: update http.server keyword information Ticket: 3025 Signed-off-by: jason taylor --- doc/userguide/rules/http-keywords.rst | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index fb27d5632f..cd8d1d8c64 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -942,13 +942,24 @@ Example HTTP Response:: http.server ----------- -Sticky buffer to match on the HTTP Server headers. Only contains the -header value. The \\r\\n after the header are not part of the buffer. +The ``http.server`` keyword is used to match on the HTTP response server +header contents. -Example:: +It is possible to use any of the :doc:`payload-keywords` with the +``http.server`` keyword. - alert http any any -> any any (flow:to_client; \ - http.server; content:"Microsoft-IIS/6.0"; sid:1;) +Example HTTP Response:: + + HTTP/1.1 200 OK + Content-Type: text/html + Server: nginx/0.8.54 + +.. container:: example-rule + + alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP Server Example"; flow:established,to_client; :example-rule-options:`http.server; \ + content:"nginx/0.8.54";` bsize:12; classtype:bad-unknown; sid:121; rev:1;) + +.. note:: ``http.server`` does not include the leading space or trailing \\r\\n .. _http.location: