.. image:: http-keywords/method1.png
+.. _rules-http-uri-normalization:
http_uri and http_raw_uri
-------------------------
mentioned content modifiers like ``depth``, ``distance``, ``offset``,
``nocase`` and ``within``.
-To learn more about the difference between ``http_uri`` and
-``http_raw_uri``, please read the information about
-:doc:`http-uri-normalization`.
+The uri has two appearances in Suricata: the raw_uri and the
+normalized uri. The space for example can be indicated with the
+heximal notation %20. To convert this notation in a space, means
+normalizing it. It is possible though to match specific on the
+characters %20 in a uri. This means matching on the raw_uri. The
+raw_uri and the normalized uri are separate buffers. So, the raw_uri
+inspects the raw_uri buffer and can not inspect the normalized buffer.
Example of the URI in a HTTP request:
+++ /dev/null
-HTTP-uri normalization
-======================
-
-The uri has two appearances in Suricata: the raw_uri and the
-normalized uri. The space for example can be indicated with the
-heximal notation %20. To convert this notation in a space, means
-normalizing it. It is possible though to match specific on the
-characters %20 in a uri. This means matching on the raw_uri. The
-raw_uri and the normalized uri are separate buffers. So, the raw_uri
-inspects the raw_uri buffer and can not inspect the normalized buffer.
enip-keyword
app-layer
rule-lua-scripting
- normalized-buffers
differences-from-snort
alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;)
In the above example the pattern '403 Forbidden' is inspected against the HTTP response line because it follows the ``http_response_line`` keyword.
+
+.. _rules-normalized-buffers:
+
+Normalized Buffers
+~~~~~~~~~~~~~~~~~~
+A packet consists of raw data. HTTP and reassembly make a copy of
+those kinds of packets data. They erase anomalous content, combine
+packets etcetera. What remains is a called the 'normalized buffer':
+
+.. image:: normalized-buffers/normalization1.png
+
+Because the data is being normalized, it is not what it used to be; it
+is an interpretation. Normalized buffers are: all HTTP-keywords,
+reassembled streams, TLS-, SSL-, SSH-, FTP- and dcerpc-buffers.
+
+Note that there are some exceptions, e.g. the ``http_raw_uri`` keyword.
+See :ref:`rules-http-uri-normalization` for more information.
+++ /dev/null
-Normalized Buffers
-==================
-
-.. toctree::
-
- http-uri-normalization
-
-A packet consists of raw data. HTTP and reassembly make a copy of
-those kinds of packets data. They erase anomalous content, combine
-packets etcetera. What remains is a called the 'normalized buffer'.
-
-Example:
-
-.. image:: normalized-buffers/normalization1.png
-
-Because the data is being normalized, it is not what it used to be; it
-is an interpretation. Normalized buffers are: all HTTP-keywords,
-reassembled streams, TLS-, SSL-, SSH-, FTP- and dcerpc-buffers.
The replace modifier has to contain as many characters as the content
it replaces. It can only be used with individual packets. It will not
-work for :doc:`normalized-buffers` like HTTP uri or a content match in
+work for :ref:`rules-normalized-buffers` like HTTP uri or a content match in
the reassembled stream.
The checksums will be recalculated by Suricata and changed after the
uri_buffer just like uricontent and content combined with http_uri.U
can be combined with /R. Note that R is relative to the previous
match so both matches have to be in the HTTP-uri buffer. Read more
- about :doc:`http-uri-normalization`.
+ about :ref:`HTTP URI Normalization <rules-http-uri-normalization>`.
.. image:: pcre/pcre3.png
* ``I``: Makes pcre match on the HTTP-raw-uri. It matches on the same
buffer as http_raw_uri. I can be combined with /R. Note that R is
relative to the previous match so both matches have to be in the
- HTTP-raw-uri buffer. Read more about :doc:`http-uri-normalization`.
+ HTTP-raw-uri buffer. Read more about
+ :ref:`HTTP URI Normalization <rules-http-uri-normalization>`.
* ``P``: Makes pcre match on the HTTP- request-body. So, it matches on
the same buffer as http_client_body. P can be combined with /R. Note
projects / thirdparty / suricata.git / commitdiff
