diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index 4418ab8983..cbf28f2fe9 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -377,6 +377,25 @@ in your :ref:`libhtp configuration section ` via the ``response-body-limit`` setting. +Notes +~~~~~ + +- Using ``http_server_body`` is similar to having content matches + that come after ``file_data`` except that it doesn't permanently + (unless reset) set the detection pointer to the beginning of the + server response body. i.e. it is not a sticky buffer. + +- ``http_server_body`` will match on gzip decoded data just like + ``file_data`` does. + +- Since ``http_server_body`` matches on a server response, it + can't be used with the ``to_server`` or ``from_client`` flow + directives. + +- Corresponding PCRE modifier: ``Q`` + +- further notes at the ``file_data`` section below. + http_host and http_raw_host --------------------------- @@ -411,11 +430,30 @@ rule. This makes it a useful shortcut for applying many content matches to the HTTP response body, eliminating the need to modify each content match individually. -Note: how much of the response/server body is inspected is controlled +As the body of a HTTP response can be very large, it is inspected in +smaller chunks. + +How much of the response/server body is inspected is controlled in your :ref:`libhtp configuration section ` via the ``response-body-limit`` setting. +Notes +~~~~~ + +- If a HTTP body is using gzip or deflate, ``file_data`` will match + on the decompressed data. + +- Negated matching is affected by the chunked inspection. E.g. + 'content:!"