From: jason taylor <jtfas90@gmail.com>
Date: Mon, 18 Jul 2022 22:00:41 +0000 (+0000)
Subject: doc: update userguide meta classtype information
X-Git-Tag: suricata-7.0.0-beta1~352
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e611ef5ccb0dc6c4d2384323b90a4857450bcf7a;p=thirdparty%2Fsuricata.git

doc: update userguide meta classtype information

Signed-off-by: jason taylor <jtfas90@gmail.com>
---

diff --git a/doc/userguide/rules/meta.rst b/doc/userguide/rules/meta.rst
index e70948258f..7e53763ce7 100644
--- a/doc/userguide/rules/meta.rst
+++ b/doc/userguide/rules/meta.rst
@@ -89,17 +89,16 @@ classtype
 The classtype keyword gives information about the classification of
 rules and alerts. It consists of a short name, a long name and a
 priority. It can tell for example whether a rule is just informational
-or is about a hack etcetera. For each classtype, the
-classification.config has a priority which will be used in the rule.
+or is about a CVE. For each classtype, the classification.config has a priority which will be used in the rule.
 
 Example classtype definition::
 
   config classification: web-application-attack,Web Application Attack,1
   config classification: not-suspicious,Not Suspicious Traffic,3
 
-Now when we have defined this in the configuration, we can use the classtypes
+Now when we have defined the classification in the configuration file, we can use the classtypes
 in our rules. A rule with classtype web-application-attack will be assigned
-a priority of 1 and the alert will contain 'Web Application Attack':
+a priority of 1 and the alert will contain 'Web Application Attack' in the Suricata logs:
 
 =======================  ======================  ===========
 classtype                Alert                   Priority
@@ -108,7 +107,7 @@ web-application-attack   Web Application Attack  1
 not-suspicious           Not Suspicious Traffic  3
 =======================  ======================  ===========
 
-Our continuing example has also a classtype, this one of trojan-activity:
+Our continuing example also has a classtype: bad-unknown:
 
 .. container:: example-rule
 
@@ -117,8 +116,7 @@ Our continuing example has also a classtype, this one of trojan-activity:
 
 .. tip::
 
-    It is a convention that classtype comes before sid and rev and after
-    the rest of the keywords.
+    It is a standard practice in rule writing that the classtype keyword comes before the sid and rev keywords (as shown in the example rule).
 
 reference
 ---------