From: Jason Ish <ish@unx.ca>
Date: Fri, 4 Dec 2015 15:53:19 +0000 (-0600)
Subject: doc: normalized buffers
X-Git-Tag: suricata-3.2beta1~257
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30f3ecf22309df76efaecbb07aad31563ba151e0;p=thirdparty%2Fsuricata.git

doc: normalized buffers
---

diff --git a/doc/sphinx/normalized-buffers.rst b/doc/sphinx/normalized-buffers.rst
new file mode 100644
index 0000000000..111bb97163
--- /dev/null
+++ b/doc/sphinx/normalized-buffers.rst
@@ -0,0 +1,15 @@
+Normalized Buffers
+==================
+
+
+A packet consists of raw data. HTTP and reassembly make a copy of
+those kinds of packets data. They erase anomalous content, combine
+packets etcetera. What remains is a called the 'normalized buffer'.
+
+Example:
+
+.. image:: normalized-buffers/normalization1.png
+
+Because the data is being normalized, it is not what it used to be; it
+is an interpretation.  Normalized buffers are: all HTTP-keywords,
+reassembled streams, TLS-, SSL-, SSH-, FTP- and dcerpc-buffers.
diff --git a/doc/sphinx/normalized-buffers/normalization1.png b/doc/sphinx/normalized-buffers/normalization1.png
new file mode 100644
index 0000000000..a99820cc14
Binary files /dev/null and b/doc/sphinx/normalized-buffers/normalization1.png differ
diff --git a/doc/sphinx/rules.rst b/doc/sphinx/rules.rst
index 88c3773741..5a8ec3036c 100644
--- a/doc/sphinx/rules.rst
+++ b/doc/sphinx/rules.rst
@@ -17,3 +17,4 @@ Rules
    adding-your-own-rules
    live-rule-swap
    tls-keywords
+   normalized-buffers