doc: Use lowercased keyword names as section titles

diff --git a/doc/userguide/rules/flow-keywords.rst b/doc/userguide/rules/flow-keywords.rst
index f9f354539b0774834e2d27597131e3b023bdbb7c..07cfbb33da581a6e4b9567e1e23123716d205e3f 100644 (file)
--- a/doc/userguide/rules/flow-keywords.rst
+++ b/doc/userguide/rules/flow-keywords.rst
@@ -1,7 +1,7 @@
 Flow Keywords
 =============
 
-Flowbits
+flowbits
 ~~~~~~~~
 
 Flowbits consists of two parts. The first part describes the action it
@@ -49,7 +49,7 @@ will be generated.
 It is possible to use flowbits several times in a rule and combine the
 different functions.
 
-Flow
+flow
 ~~~~
 
 The flow keyword can be used to match on direction of the flow, so to/from
@@ -102,7 +102,7 @@ The determination of *established* depends on the protocol:
 
   .. image:: flow-keywords/Flow2.png
 
-Flowint
+flowint
 ~~~~~~~
 
 For information, read the information on the :doc:`flowint` page.

diff --git a/doc/userguide/rules/flowint.rst b/doc/userguide/rules/flowint.rst
index aefe01a4788268cc4559a40a1b9bd3133d482c16..8fb331d2a6f53b1376a01c3dd63ca282953b1b6c 100644 (file)
--- a/doc/userguide/rules/flowint.rst
+++ b/doc/userguide/rules/flowint.rst
@@ -1,4 +1,4 @@
-Flowint
+flowint
 =======
 
 Flowint is a precursor to the Global Variables task we will be adding

diff --git a/doc/userguide/rules/header-keywords.rst b/doc/userguide/rules/header-keywords.rst
index 1e453863f5617a2b57e81bb7d887306e8d74d70d..a7fd838282a49579f2381647fb7c08508115bbc8 100644 (file)
--- a/doc/userguide/rules/header-keywords.rst
+++ b/doc/userguide/rules/header-keywords.rst
@@ -32,7 +32,7 @@ Example of the ttl keyword in a rule:
 
     alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; :example-rule-emphasis:`ttl:0;` reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9;)
 
-Ipopts
+ipopts
 ^^^^^^
 
 With the ipopts keyword you can check if a specific ip option is
@@ -114,7 +114,7 @@ The named variante of that example would be::
 
     ip_proto:PIM
 
-Id
+id
 ^^
 
 With the id keyword, you can match on a specific IP ID value.  The ID
@@ -136,7 +136,7 @@ Example of id in a rule:
 
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; :example-rule-emphasis:`id: 1;` dsize: 24; flags: S,12; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13;)
 
-Geoip
+geoip
 ^^^^^
 
 The geoip keyword enables (you) to match on the source, destination or
@@ -167,7 +167,7 @@ libgeoip must be compiled in.
 Fragments
 ---------
 
-Fragbits
+fragbits
 ^^^^^^^^
 
 With the fragbits keyword, you can check if the fragmentation and
@@ -202,7 +202,7 @@ Example of fragbits in a rule:
 
    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; :example-rule-emphasis:`fragbits: M;` fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-Fragoffset
+fragoffset
 ^^^^^^^^^^
 
 With the fragoffset keyword you can match on specific decimal values

diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst
index 1feee768c21d87b703a0c6df01657b19092508d3..849a9542cda71a00eccc27c14d5e26a7d43e0e69 100644 (file)
--- a/doc/userguide/rules/meta.rst
+++ b/doc/userguide/rules/meta.rst
@@ -37,7 +37,7 @@ In this example the red, bold-faced part is the msg.
 .. note:: The following characters must be escaped inside the msg:
              ``;`` ``\`` ``"``
 
-Sid (signature id)
+sid (signature ID)
 ------------------
 
 The keyword sid gives every signature its own id. This id is stated with a number.
@@ -56,7 +56,7 @@ Example of sid in a signature:
 
 In this example the red, bold-faced part is the sid.
 
-Rev (Revision)
+rev (Revision)
 --------------
 
 The sid keyword is almost every time accompanied by rev. Rev
@@ -79,7 +79,7 @@ Example of rev in a signature:
 
 In this example the red, bold-faced part is the rev.
 
-Gid (group id)
+gid (group ID)
 --------------
 
 The gid keyword can be used to give different groups of signatures
@@ -98,7 +98,7 @@ Example of gid in a signature:
 This is an example from the fast.log.
 In the part [1:2008124:2], 1 is the gid (2008124 is the the sid and 2 the rev).
 
-Classtype
+classtype
 ---------
 
 The classtype keyword gives information about the classification of
@@ -133,7 +133,7 @@ Another example of classtype in a signature:
 
 In this example the red, bold-faced part is the classtype.
 
-Reference
+reference
 ---------
 
 The reference keywords direct to places where information about the
@@ -178,7 +178,7 @@ Example of reference in a signature:
 
 In this example the red, bold-faced part is the action.
 
-Priority
+priority
 --------
 
 The priority keyword comes with a mandatory numeric value which can
@@ -192,7 +192,7 @@ format of priority is:
 
   priority:1;
 
-Metadata
+metadata
 --------
 
 Suricata ignores the words behind meta data.  Suricata supports this
@@ -202,7 +202,7 @@ keyword because it is part of the signature language.  The format is:
 
   metadata:......;
 
-Target
+target
 ------
 
 The target keyword allows the rules writer to specify which side of the

diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst
index 47d44f9a3ada9b0ec68a2c779d376743e9d7d80d..4696936339bc0cf35e41da5244eabb07c39dd38f 100644 (file)
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -11,7 +11,7 @@ Payload Keywords
 Payload keywords inspect the content of the payload of a packet or
 stream.
 
-Content
+content
 -------
 
 The content keyword is very important in signatures. Between the
@@ -99,7 +99,7 @@ generated if the the used version of Firefox is not 3.6.13.
 .. note:: The following characters must be escaped inside the content:
              ``;`` ``\`` ``"``
 
-Nocase
+nocase
 ------
 
 If you do not want to make a distinction between uppercase and
@@ -120,7 +120,7 @@ Example nocase:
 
 It has no influence on other contents in the signature.
 
-Depth
+depth
 -----
 
 The depth keyword is a absolute content modifier. It comes after the
@@ -136,7 +136,7 @@ Example:
 
 .. image:: payload-keywords/content4.png
 
-Offset
+offset
 ------
 
 The offset keyword designates from which byte in the payload will be
@@ -157,7 +157,7 @@ third byte till the sixth byte.
 .. image:: payload-keywords/content6.png
 
 
-Distance
+distance
 --------
 
 The keyword distance is a relative content modifier. This means it
@@ -188,7 +188,7 @@ possible to attain the same results with other keywords.
 
 .. image:: payload-keywords/distance3.png
 
-Within
+within
 ------
 
 The keyword within is relative to the preceding match. The keyword
@@ -214,7 +214,7 @@ payload for a match, use within.
 
 .. image:: payload-keywords/within_distance2.png
 
-Isdataat
+isdataat
 --------
 
 The purpose of the isdataat keyword is to look if there is still data
@@ -238,7 +238,7 @@ You can also use the negation (!) before isdataat.
 
 .. image:: payload-keywords/isdataat1.png
 
-Dsize
+dsize
 -----
 
 With the dsize keyword, you can match on the size of the packet
@@ -280,7 +280,7 @@ Example of the rpc keyword in a rule:
 
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; :example-rule-emphasis:`rpc:100009,*,*;` reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
 
-Replace
+replace
 -------
 
 The replace content modifier can only be used in ips. It adjusts