From: jason taylor Date: Wed, 21 May 2025 00:34:47 +0000 (-0400) Subject: doc: update http.header_names normalization info X-Git-Tag: suricata-8.0.0-rc1~238 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F13283%2Fhead;p=thirdparty%2Fsuricata.git doc: update http.header_names normalization info --- diff --git a/doc/userguide/rules/http-keywords.rst b/doc/userguide/rules/http-keywords.rst index a26d3cacb0..6d51e39b71 100644 --- a/doc/userguide/rules/http-keywords.rst +++ b/doc/userguide/rules/http-keywords.rst @@ -107,12 +107,16 @@ If there are multiple values for the same header name, they are concatenated with a comma and space (", ") between each value. More information can be found in RFC 2616 ``_ +In the example below, notice that the User-Agent header, regardless of the +letter casing is evaluated as the same header. The normalized header evaluation +leads to the concatenated header values as described in the RFC above. + Example Duplicate HTTP Header:: GET / HTTP/1.1 Host: suricata.io User-Agent: Mozilla/5.0 - User-Agent: Chrome/121.0.0 + User-agent: Chrome/121.0.0 .. container:: example-rule @@ -1211,6 +1215,9 @@ after ``User-Agent`` but not necessarily directly after. .. note:: ``http.header_names`` starts with a \\r\\n and ends with an extra \\r\\n. +.. note:: ``http.header_names`` can have additional formatting/normalization applied + to buffer contents, see :ref:`http.normalization` for additional details. + .. _http.protocol: http.protocol