From ca9b29c2d018b999b7e2c7a8c43ee53cdcc03e84 Mon Sep 17 00:00:00 2001 From: jason taylor Date: Tue, 20 May 2025 20:34:47 -0400 Subject: [PATCH] doc: update http.header_names normalization info --- doc/userguide/rules/http-keywords.rst | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index a26d3cacb0..6d51e39b71 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -107,12 +107,16 @@ If there are multiple values for the same header name, they are concatenated with a comma and space (", ") between each value. More information can be found in RFC 2616 ``_ +In the example below, notice that the User-Agent header, regardless of the +letter casing is evaluated as the same header. The normalized header evaluation +leads to the concatenated header values as described in the RFC above. + Example Duplicate HTTP Header:: GET / HTTP/1.1 Host: suricata.io User-Agent: Mozilla/5.0 - User-Agent: Chrome/121.0.0 + User-agent: Chrome/121.0.0 .. container:: example-rule @@ -1211,6 +1215,9 @@ after ``User-Agent`` but not necessarily directly after. .. note:: ``http.header_names`` starts with a \\r\\n and ends with an extra \\r\\n. +.. note:: ``http.header_names`` can have additional formatting/normalization applied + to buffer contents, see :ref:`http.normalization` for additional details. + .. _http.protocol: http.protocol -- 2.47.2