doc: Move the definition of modifier keywords to the introduction

diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst
index 543ec9b3ba7df109a8def6d8cd00f8e8994c45b2..413a7d6df01e96c6676857ddb3d619b03d002ec1 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -10,24 +10,17 @@ capabilities at the application layer. More information can be found at
 specific parts of the network traffic. For instance, to check specifically on
 the request URI, cookies, or the HTTP request or response body, etc.
 
-Types of modifiers
-------------------
-
-There are 2 types of modifiers. The older style 'content modifiers' look back in the rule.
-
-Example::
+All HTTP keywords are modifiers. Note the difference between content modifiers
+and sticky buffers. See :ref:`rules-modifiers` for more information. As a
+refresher:
 
-    alert http any any -> any any (content:"index.php"; http_uri; sid:1;)
+* **'content modifiers'** look back in the rule, e.g.::
 
-In the above example the pattern 'index.php' is modified to inspect the HTTP uri buffer.
-
-The more recent type is called the 'sticky buffer'. It places the buffer name first and all keywords following it apply to that buffer.
-
-Example::
+      alert http any any -> any any (content:"index.php"; http_uri; sid:1;)
 
-    alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;)
+* **'sticky buffers'** are placed first and all keywords following it apply to that buffer, for instance::
 
-In the above example the pattern '403 Forbidden' is inspected against the HTTP response line because it follows the ``http_response_line`` keyword.
+      alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;)
 
 The following request keywords are available:
 

diff --git a/doc/userguide/rules/intro.rst b/doc/userguide/rules/intro.rst
index f13350b021dd30a5ccc6058a718640cd979a0464..6b59758b737deef38a3d4e1e6401ae8b3734de42 100644 (file)
--- a/doc/userguide/rules/intro.rst
+++ b/doc/userguide/rules/intro.rst
@@ -226,3 +226,26 @@ meaning of the rule.
 
     As a consequence, you must also escape the backslash, as it functions
     as an escape character.
+
+The rest of this chapter in the documentation documents the use of the various keywords.
+
+Some generic details about keywords follow.
+
+.. _rules-modifiers:
+
+Modifier Keywords
+~~~~~~~~~~~~~~~~~
+
+Some keywords function act as modifiers. There are two types of modifiers.
+
+* The older style **'content modifiers'** look back in the rule, e.g.::
+
+      alert http any any -> any any (content:"index.php"; http_uri; sid:1;)
+
+  In the above example the pattern 'index.php' is modified to inspect the HTTP uri buffer.
+
+* The more recent type is called the **'sticky buffer'**. It places the buffer name first and all keywords following it apply to that buffer, for instance::
+
+      alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;)
+
+  In the above example the pattern '403 Forbidden' is inspected against the HTTP response line because it follows the ``http_response_line`` keyword.