From 11990c71173f24f9c20f568b71f3c80592fe912b Mon Sep 17 00:00:00 2001 From: Ralph Broenink Date: Sat, 14 Oct 2017 11:52:13 +0200 Subject: [PATCH] doc: Move the definition of modifier keywords to the introduction --- doc/userguide/rules/http-keywords.rst | 21 +++++++-------------- doc/userguide/rules/intro.rst | 23 +++++++++++++++++++++++ 2 files changed, 30 insertions(+), 14 deletions(-) diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index 543ec9b3ba..413a7d6df0 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -10,24 +10,17 @@ capabilities at the application layer. More information can be found at specific parts of the network traffic. For instance, to check specifically on the request URI, cookies, or the HTTP request or response body, etc. -Types of modifiers ------------------- - -There are 2 types of modifiers. The older style 'content modifiers' look back in the rule. - -Example:: +All HTTP keywords are modifiers. Note the difference between content modifiers +and sticky buffers. See :ref:`rules-modifiers` for more information. As a +refresher: - alert http any any -> any any (content:"index.php"; http_uri; sid:1;) +* **'content modifiers'** look back in the rule, e.g.:: -In the above example the pattern 'index.php' is modified to inspect the HTTP uri buffer. - -The more recent type is called the 'sticky buffer'. It places the buffer name first and all keywords following it apply to that buffer. - -Example:: + alert http any any -> any any (content:"index.php"; http_uri; sid:1;) - alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;) +* **'sticky buffers'** are placed first and all keywords following it apply to that buffer, for instance:: -In the above example the pattern '403 Forbidden' is inspected against the HTTP response line because it follows the ``http_response_line`` keyword. + alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;) The following request keywords are available: diff --git a/doc/userguide/rules/intro.rst b/doc/userguide/rules/intro.rst index f13350b021..6b59758b73 100644 --- a/doc/userguide/rules/intro.rst +++ b/doc/userguide/rules/intro.rst @@ -226,3 +226,26 @@ meaning of the rule. As a consequence, you must also escape the backslash, as it functions as an escape character. + +The rest of this chapter in the documentation documents the use of the various keywords. + +Some generic details about keywords follow. + +.. _rules-modifiers: + +Modifier Keywords +~~~~~~~~~~~~~~~~~ + +Some keywords function act as modifiers. There are two types of modifiers. + +* The older style **'content modifiers'** look back in the rule, e.g.:: + + alert http any any -> any any (content:"index.php"; http_uri; sid:1;) + + In the above example the pattern 'index.php' is modified to inspect the HTTP uri buffer. + +* The more recent type is called the **'sticky buffer'**. It places the buffer name first and all keywords following it apply to that buffer, for instance:: + + alert http any any -> any any (http_response_line; content:"403 Forbidden"; sid:1;) + + In the above example the pattern '403 Forbidden' is inspected against the HTTP response line because it follows the ``http_response_line`` keyword. -- 2.47.2