doc: Move fast_pattern and prefilter to dedicated page

author Ralph Broenink <ralph@ralphbroenink.net>

Sat, 14 Oct 2017 10:02:55 +0000 (12:02 +0200)

committer Victor Julien <victor@inliniac.net>

Fri, 8 Dec 2017 10:32:09 +0000 (11:32 +0100)
author Ralph Broenink <ralph@ralphbroenink.net>
Sat, 14 Oct 2017 10:02:55 +0000 (12:02 +0200)
committer Victor Julien <victor@inliniac.net>
Fri, 8 Dec 2017 10:32:09 +0000 (11:32 +0100)
diff --git a/doc/userguide/rules/differences-from-snort.rst b/doc/userguide/rules/differences-from-snort.rst

index 2dcb45ec9ecf76dd0a810a084f8145b358c0ff48..5c26a0815e66ae98d2384deb56d3c9b495657bc7 100644 (file)
--- a/doc/userguide/rules/differences-from-snort.rst
+++ b/doc/userguide/rules/differences-from-snort.rst
@@ -561,7 +561,7 @@ Fast Pattern
     when doing fast pattern matching, something the other algorithims and
     Snort do not do.
  
--  :doc:`fast-pattern`
+-  :ref:`rules-keyword-fast_pattern`
  
  Don't Cross The Streams
  -----------------------
diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst

index 784b212e1b86b12c098879e91860a1c18a727b7e..8f3a545d8a099f096083baa8564ea4695c3b9cd4 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -706,9 +706,3 @@ pcre
  ----
  
  For information about the ``pcre`` keyword, check the :doc:`pcre` page.
-
-fast_pattern
-------------
-
-For information about the ``fast_pattern`` keyword, check the
-:doc:`fast-pattern` page.
diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst

index d741c8a83192d55d4bf4b581611f509e5de7b2d8..35921c7e013f0f4d0377b0af3bd855137223ea27 100644 (file)
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@@ -6,8 +6,8 @@ Suricata Rules
     intro
     meta
     header-keywords
-   prefilter
     payload-keywords
+   prefilter-keywords
     http-keywords
     flow-keywords
     flowint
diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst

index ab845bf23bed00f1e75d5c471d2660bf1101e97e..19c19978fdc7032a344522afc513d6dd881ddf5b 100644 (file)
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -6,7 +6,6 @@ Payload Keywords
     :maxdepth: 2
  
     pcre
-   fast-pattern
  
  Payload keywords inspect the content of the payload of a packet or
  stream.
@@ -303,8 +302,3 @@ pcre
  ----
  
  For information about pcre check the :doc:`pcre` page.
-
-fast_pattern
-------------
-
-For information about fast_pattern check the :doc:`fast-pattern` page.
diff --git a/doc/userguide/rules/fast-pattern.rst b/doc/userguide/rules/prefilter-keywords.rst

similarity index 76%

rename from doc/userguide/rules/fast-pattern.rst

rename to doc/userguide/rules/prefilter-keywords.rst

index c32b79844fd0c5afa17095dc8e7519781631e27a..684e056bd86ab1ebcc3139acd20566602792305d 100644 (file)
--- a/doc/userguide/rules/fast-pattern.rst
+++ b/doc/userguide/rules/prefilter-keywords.rst
@@ -1,6 +1,11 @@
-Fast Pattern
-============
+=====================
+Prefiltering Keywords
+=====================
+
+.. _rules-keyword-fast_pattern:
  
+fast_pattern
+============
  .. toctree::
  
     fast-pattern-explained
@@ -41,7 +46,7 @@ Fast-pattern can also be combined with all previous mentioned
  keywords, and all mentioned HTTP-modifiers.
  
  fast_pattern:only
------------------
+~~~~~~~~~~~~~~~~~
  
  Sometimes a signature contains only one content. In that case it is
  not necessary Suricata will check it any further after a match has
@@ -50,8 +55,8 @@ matches. Suricata notices this automatically. In some signatures this
  is still indicated with 'fast_pattern:only;'. Although Suricata does
  not need fast_pattern:only, it does support it.
  
-Fast_pattern: 'chop'
---------------------
+fast_pattern:'chop'
+~~~~~~~~~~~~~~~~~~~~
  
  If you do not want the MPM to use the whole content, you can use
  fast_pattern 'chop'.
@@ -61,3 +66,16 @@ For example::
    content: “aaaaaaaaabc”; fast_pattern:8,4;
  
  This way, MPM uses only the last four characters.
+
+
+prefilter
+=========
+The prefilter engines for other non-MPM keywords can be enabled in specific rules by using the 'prefilter' keyword.
+
+In the following rule the TTL test will be used in prefiltering instead of the single byte pattern:
+
+::
+
+  alert ip any any -> any any (ttl:123; prefilter; content:"a"; sid:1;)
+
+For more information on how to configure the prefilter engines, see :ref:`suricata-yaml-prefilter`
diff --git a/doc/userguide/rules/prefilter.rst b/doc/userguide/rules/prefilter.rst

deleted file mode 100644 (file)

index 0d136ab..0000000
--- a/doc/userguide/rules/prefilter.rst
+++ /dev/null
@@ -1,13 +0,0 @@
-Prefilter
-=========
-
-The prefilter engines for other non-MPM keywords can be enabled in specific rules by using the 'prefilter' keyword.
-
-In the following rule the TTL test will be used in prefiltering instead of the single byte pattern:
-
-::
-
-  alert ip any any -> any any (ttl:123; prefilter; content:"a"; sid:1;)
-
-For more information on how to configure the prefilter engines, see :ref:`suricata-yaml-prefilter`
-
author	Ralph Broenink <ralph@ralphbroenink.net>
	Sat, 14 Oct 2017 10:02:55 +0000 (12:02 +0200)
committer	Victor Julien <victor@inliniac.net>
	Fri, 8 Dec 2017 10:32:09 +0000 (11:32 +0100)
doc/userguide/rules/differences-from-snort.rst		patch \| blob \| blame \| history
doc/userguide/rules/http-keywords.rst		patch \| blob \| blame \| history
doc/userguide/rules/index.rst		patch \| blob \| blame \| history
doc/userguide/rules/payload-keywords.rst		patch \| blob \| blame \| history
doc/userguide/rules/prefilter-keywords.rst	[moved from doc/userguide/rules/fast-pattern.rst with 76% similarity]	patch \| blob \| blame \| history
doc/userguide/rules/prefilter.rst	[deleted file]	patch \| blob \| blame \| history