doc: update flowbits information

Ticket: #6991

Signed-off-by: jason taylor <jtfas90@gmail.com>

doc/userguide/rules/flow-keywords.rst

@@ -1,6 +1,11 @@
 Flow Keywords
 =============
 
+.. role:: example-rule-action
+.. role:: example-rule-header
+.. role:: example-rule-options
+.. role:: example-rule-emphasis
+
 flowbits
 --------
 
@@ -9,13 +14,13 @@ is going to perform, the second part is the name of the flowbit.
 
 There are multiple packets that belong to one flow. Suricata keeps
 those flows in memory. For more information see
-:ref:`suricata-yaml-flow-settings`.  Flowbits can make sure an alert
+:ref:`suricata-yaml-flow-settings`.
-will be generated when for example two different packets match.  An
+
-alert will only be generated when both packets match. So, when the
+Flowbits can make sure an alert will be generated when for example two
-second packet matches, Suricata has to know if the first packet was a
+different packets match. An alert will only be generated when both packets
-match too. Flowbits marks the flow if a packet matches so Suricata
+match. So, when the second packet matches, Suricata has to know if the first
-'knows' it should generate an alert when the second packet matches as
+packet was a match too. Flowbits mark the flow if a packet matches so Suricata
-well.
+'knows' it should generate an alert when the second packet matches as well.
 
 Flowbits have different actions. These are:
 
@@ -41,24 +46,26 @@ Example:
 
 When you take a look at the first rule you will notice it would
 generate an alert if it would match, if it were not for the 'flowbits:
-noalert' at the end of that rule. The purpose of this rule is to check
+noalert' at the end of that rule.
-for a match on 'userlogin' and mark that in the flow. So, there is no
+
-need for generating an alert.  The second rule has no effect without
+The purpose of this rule is to check for a match on 'userlogin' and mark that
-the first rule. If the first rule matches, the flowbits sets that
+in the flow. So, there is no need to generate an alert. The second rule has no
-specific condition to be present in the flow. Now with the second rule
+effect without the first rule. If the first rule matches, the flowbit sets that
-there can be checked whether or not the previous packet fulfills the
+specific condition to be present in the flow. Now the second rule can be
-first condition. If at that point the second rule matches, an alert
+checked whether or not the previous packet fulfills the first condition.
-will be generated.
+If the second rule matches now, an alert will be generated.
+
+.. note:: flowbit names are case-sensitive.
 
-It is possible to use flowbits several times in a rule and combine the
+.. note:: It is possible to use flowbits several times in a rule and combine
-different functions.
+  the different functions.
 
-It is also possible to perform an `OR` operation with flowbits with `|` op.
+.. note:: It is possible to perform an `OR` operation with flowbits using the `|` (pipe).
 
-Example::
+.. container:: example-rule
-  alert http any any -> any any (msg: "User1 or User2 logged in"; content:"login"; flowbits:isset,user1|user2; sid:1;)
 
-This can be used with either `isset` or `isnotset` action.
+  alert http any any -> any any (msg:"User1 or User2 logged in"; \
+  content:"login"; :example-rule-options:`flowbits:isset,user1|user2;` sid:1;)
 
 flow
 ----