From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 13 Jul 2020 09:06:58 +0000 (+0200)
Subject: doc: explicit header normalization further
X-Git-Tag: suricata-6.0.1~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e242645be40e52ed781943e2948f7a56ec51141;p=thirdparty%2Fsuricata.git

doc: explicit header normalization further

And their concatenation as described in RFC 2616
---

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index c97fb0a5d2..85a3225851 100644
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -303,6 +303,9 @@ modifiers, like ``depth``, ``distance``, ``offset``, ``nocase`` and
     **Note**: the header buffer is *normalized*. Any trailing
     whitespace and tab characters are removed. See:
     https://lists.openinfosecfoundation.org/pipermail/oisf-users/2011-October/000935.html.
+    If there are multiple values for the same header name, they are
+    concatenated with a comma and space (", ") between each of them.
+    See RFC 2616 4.2 Message Headers.
     To avoid that, use the ``http.header.raw`` keyword.
 
 Example of a header in a HTTP request: