From 64760e2e75b90cd9db01037dbba2fbeb162bf1a0 Mon Sep 17 00:00:00 2001
From: jason taylor <jtfas90@gmail.com>
Date: Sat, 3 Feb 2024 15:48:25 +0000
Subject: [PATCH] doc: update http.response_line keyword information

Ticket: 3025

Signed-off-by: jason taylor <jtfas90@gmail.com>
---
 doc/userguide/rules/http-keywords.rst | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index a6138e2bb2..578c49743e 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -881,11 +881,25 @@ Example HTTP Response::
 http.response_line
 ------------------
 
-The ``http.response_line`` forces the whole HTTP response line to be inspected.
+The ``http.response_line`` keyword is used to match on the entire HTTP
+response line.
 
-Example::
+It is possible to use any of the :doc:`payload-keywords` with the
+``http.response_line`` keyword.
+
+Example HTTP Response::
+
+  HTTP/1.1 200 OK
+  Content-Type: text/html
+  Server: nginx/0.8.54
+
+.. container:: example-rule
+
+  alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"HTTP Response Line \
+  Example"; flow:established,to_client; :example-rule-options:`http.response_line; \
+  content:"HTTP/1.1 200 OK";` classtype:bad-unknown; sid:119; rev:1;)
 
-    alert http any any -> any any (http.response_line; content:"HTTP/1.0 200 OK"; sid:1;)
+.. note:: ``http.response_line`` does not include the trailing \\r\\n
 
 .. _http.response_body: