doc: Moved explanation of normalized buffers to rules introduction

8 years ago · fea037fda8
parent 11990c7117
commit fea037fda8
7 changed files with 29 additions and 35 deletions
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@ -151,6 +151,7 @@ Example of the purpose of method:
 .. image:: http-keywords/method1.png
 .. _rules-http-uri-normalization:
 http_uri and http_raw_uri
 -------------------------
@ -161,9 +162,13 @@ buffer. The keyword can be used in combination with all previously
 mentioned content modifiers like ``depth``, ``distance``, ``offset``,
 ``nocase`` and ``within``.
-To learn more about the difference between ``http_uri`` and
+The uri has two appearances in Suricata: the raw_uri and the
-``http_raw_uri``, please read the information about
+normalized uri. The space for example can be indicated with the
-:doc:`http-uri-normalization`.
+heximal notation %20. To convert this notation in a space, means
 normalizing it. It is possible though to match specific on the
 characters %20 in a uri. This means matching on the raw_uri.  The
 raw_uri and the normalized uri are separate buffers. So, the raw_uri
 inspects the raw_uri buffer and can not inspect the normalized buffer.
 Example of the URI in a HTTP request:
--- a/doc/userguide/rules/http-uri-normalization.rst
+++ b/doc/userguide/rules/http-uri-normalization.rst
@ -1,10 +0,0 @@
 HTTP-uri normalization
 ======================
 The uri has two appearances in Suricata: the raw_uri and the
 normalized uri. The space for example can be indicated with the
 heximal notation %20. To convert this notation in a space, means
 normalizing it. It is possible though to match specific on the
 characters %20 in a uri. This means matching on the raw_uri.  The
 raw_uri and the normalized uri are separate buffers. So, the raw_uri
 inspects the raw_uri buffer and can not inspect the normalized buffer.
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@ -21,5 +21,4 @@ Suricata Rules
   enip-keyword
   app-layer
   rule-lua-scripting
   normalized-buffers
   differences-from-snort
--- a/doc/userguide/rules/intro.rst
+++ b/doc/userguide/rules/intro.rst
@ -249,3 +249,20 @@ Some keywords function act as modifiers. There are two types of modifiers.
      alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;)
  In the above example the pattern '403 Forbidden' is inspected against the HTTP response line because it follows the ``http_response_line`` keyword.
 .. _rules-normalized-buffers:
 Normalized Buffers
 ~~~~~~~~~~~~~~~~~~
 A packet consists of raw data. HTTP and reassembly make a copy of
 those kinds of packets data. They erase anomalous content, combine
 packets etcetera. What remains is a called the 'normalized buffer':
 .. image:: normalized-buffers/normalization1.png
 Because the data is being normalized, it is not what it used to be; it
 is an interpretation.  Normalized buffers are: all HTTP-keywords,
 reassembled streams, TLS-, SSL-, SSH-, FTP- and dcerpc-buffers.
 Note that there are some exceptions, e.g. the ``http_raw_uri`` keyword.
 See :ref:`rules-http-uri-normalization` for more information.
--- a/doc/userguide/rules/normalized-buffers.rst
+++ b/doc/userguide/rules/normalized-buffers.rst
@ -1,18 +0,0 @@
 Normalized Buffers
 ==================
 .. toctree::
   http-uri-normalization
 A packet consists of raw data. HTTP and reassembly make a copy of
 those kinds of packets data. They erase anomalous content, combine
 packets etcetera. What remains is a called the 'normalized buffer'.
 Example:
 .. image:: normalized-buffers/normalization1.png
 Because the data is being normalized, it is not what it used to be; it
 is an interpretation.  Normalized buffers are: all HTTP-keywords,
 reassembled streams, TLS-, SSL-, SSH-, FTP- and dcerpc-buffers.
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@ -293,7 +293,7 @@ another ('def'), see example:
 The replace modifier has to contain as many characters as the content
 it replaces.  It can only be used with individual packets. It will not
-work for :doc:`normalized-buffers` like HTTP uri or a content match in
+work for :ref:`rules-normalized-buffers` like HTTP uri or a content match in
 the reassembled stream.
 The checksums will be recalculated by Suricata and changed after the
--- a/doc/userguide/rules/pcre.rst
+++ b/doc/userguide/rules/pcre.rst
@ -67,7 +67,7 @@ Suricata has its own specific pcre modifiers. These are:
  uri_buffer just like uricontent and content combined with http_uri.U
  can be combined with /R. Note that R is relative to the previous
  match so both matches have to be in the HTTP-uri buffer. Read more
-  about :doc:`http-uri-normalization`.
+  about :ref:`HTTP URI Normalization <rules-http-uri-normalization>`.
 .. image:: pcre/pcre3.png
@ -80,7 +80,8 @@ Suricata has its own specific pcre modifiers. These are:
 * ``I``: Makes pcre match on the HTTP-raw-uri. It matches on the same
  buffer as http_raw_uri.  I can be combined with /R. Note that R is
  relative to the previous match so both matches have to be in the
-  HTTP-raw-uri buffer. Read more about :doc:`http-uri-normalization`.
+  HTTP-raw-uri buffer. Read more about
  :ref:`HTTP URI Normalization <rules-http-uri-normalization>`.
 * ``P``: Makes pcre match on the HTTP- request-body. So, it matches on
  the same buffer as http_client_body. P can be combined with /R. Note