doc: Move fast_pattern and prefilter to dedicated page

doc/userguide/rules/differences-from-snort.rst

@@ -561,7 +561,7 @@ Fast Pattern
    when doing fast pattern matching, something the other algorithims and
    Snort do not do.
 
--  :doc:`fast-pattern`
+-  :ref:`rules-keyword-fast_pattern`
 
 Don't Cross The Streams
 -----------------------

doc/userguide/rules/http-keywords.rst

@@ -706,9 +706,3 @@ pcre
 ----
 
 For information about the ``pcre`` keyword, check the :doc:`pcre` page.
-
-fast_pattern
-------------
-
-For information about the ``fast_pattern`` keyword, check the
-:doc:`fast-pattern` page.

doc/userguide/rules/index.rst

@@ -6,8 +6,8 @@ Suricata Rules
    intro
    meta
    header-keywords
-   prefilter
    payload-keywords
+   prefilter-keywords
    http-keywords
    flow-keywords
    flowint

doc/userguide/rules/payload-keywords.rst

@@ -6,7 +6,6 @@ Payload Keywords
    :maxdepth: 2
 
    pcre
-   fast-pattern
 
 Payload keywords inspect the content of the payload of a packet or
 stream.
@@ -303,8 +302,3 @@ pcre
 ----
 
 For information about pcre check the :doc:`pcre` page.
-
-fast_pattern
-------------
-
-For information about fast_pattern check the :doc:`fast-pattern` page.

doc/userguide/rules/prefilter-keywords.rst

@@ -1,6 +1,11 @@
-Fast Pattern
+=====================
-============
+Prefiltering Keywords
+=====================
+
+.. _rules-keyword-fast_pattern:
 
+fast_pattern
+============
 .. toctree::
 
    fast-pattern-explained
@@ -41,7 +46,7 @@ Fast-pattern can also be combined with all previous mentioned
 keywords, and all mentioned HTTP-modifiers.
 
 fast_pattern:only
------------------
+~~~~~~~~~~~~~~~~~
 
 Sometimes a signature contains only one content. In that case it is
 not necessary Suricata will check it any further after a match has
@@ -50,8 +55,8 @@ matches. Suricata notices this automatically. In some signatures this
 is still indicated with 'fast_pattern:only;'. Although Suricata does
 not need fast_pattern:only, it does support it.
 
-Fast_pattern: 'chop'
+fast_pattern:'chop'
---------------------
+~~~~~~~~~~~~~~~~~~~~
 
 If you do not want the MPM to use the whole content, you can use
 fast_pattern 'chop'.
@@ -61,3 +66,16 @@ For example::
   content: “aaaaaaaaabc”; fast_pattern:8,4;
 
 This way, MPM uses only the last four characters.
+
+
+prefilter
+=========
+The prefilter engines for other non-MPM keywords can be enabled in specific rules by using the 'prefilter' keyword.
+
+In the following rule the TTL test will be used in prefiltering instead of the single byte pattern:
+
+::
+
+  alert ip any any -> any any (ttl:123; prefilter; content:"a"; sid:1;)
+
+For more information on how to configure the prefilter engines, see :ref:`suricata-yaml-prefilter`

doc/userguide/rules/prefilter.rst

@@ -1,13 +0,0 @@
-Prefilter
-=========
-
-The prefilter engines for other non-MPM keywords can be enabled in specific rules by using the 'prefilter' keyword.
-
-In the following rule the TTL test will be used in prefiltering instead of the single byte pattern:
-
-::
-
-  alert ip any any -> any any (ttl:123; prefilter; content:"a"; sid:1;)
-
-For more information on how to configure the prefilter engines, see :ref:`suricata-yaml-prefilter`
-