doc: normalized buffers

doc/sphinx/normalized-buffers.rst

@@ -0,0 +1,15 @@
+Normalized Buffers
+==================
+
+
+A packet consists of raw data. HTTP and reassembly make a copy of
+those kinds of packets data. They erase anomalous content, combine
+packets etcetera. What remains is a called the 'normalized buffer'.
+
+Example:
+
+.. image:: normalized-buffers/normalization1.png
+
+Because the data is being normalized, it is not what it used to be; it
+is an interpretation.  Normalized buffers are: all HTTP-keywords,
+reassembled streams, TLS-, SSL-, SSH-, FTP- and dcerpc-buffers.

doc/sphinx/rules.rst

@@ -17,3 +17,4 @@ Rules
    adding-your-own-rules
    live-rule-swap
    tls-keywords
+   normalized-buffers