doc: update http.header_names normalization info

author jason taylor <jtfas90@gmail.com>

Wed, 21 May 2025 00:34:47 +0000 (20:34 -0400)

committer Victor Julien <victor@inliniac.net>

Wed, 21 May 2025 07:37:25 +0000 (09:37 +0200)
author jason taylor <jtfas90@gmail.com>
Wed, 21 May 2025 00:34:47 +0000 (20:34 -0400)
committer Victor Julien <victor@inliniac.net>
Wed, 21 May 2025 07:37:25 +0000 (09:37 +0200)
diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst

index a26d3cacb0520118a2522d3b2e794564237d7e18..6d51e39b7175ba9c60b34ad2c69a2b3c09139c0f 100644 (file)
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@@ -107,12 +107,16 @@ If there are multiple values for the same header name, they are concatenated
  with a comma and space (", ") between each value. More information can be
  found in RFC 2616 `<https://www.rfc-editor.org/rfc/rfc2616.html#section-4.2>`_
  
+In the example below, notice that the User-Agent header, regardless of the 
+letter casing is evaluated as the same header. The normalized header evaluation
+leads to the concatenated header values as described in the RFC above.
+
  Example Duplicate HTTP Header::
  
    GET / HTTP/1.1
    Host: suricata.io
    User-Agent: Mozilla/5.0
-  User-Agent: Chrome/121.0.0
+  User-agent: Chrome/121.0.0
  
  .. container:: example-rule
  
@@ -1211,6 +1215,9 @@ after ``User-Agent`` but not necessarily directly after.
  
  .. note:: ``http.header_names`` starts with a \\r\\n and ends with an extra \\r\\n.
  
+.. note:: ``http.header_names`` can have additional formatting/normalization applied
+  to buffer contents, see :ref:`http.normalization` for additional details.
+
  .. _http.protocol:
  
  http.protocol
author	jason taylor <jtfas90@gmail.com>
	Wed, 21 May 2025 00:34:47 +0000 (20:34 -0400)
committer	Victor Julien <victor@inliniac.net>
	Wed, 21 May 2025 07:37:25 +0000 (09:37 +0200)