From 95560f09662129c3888e0fa2a0917d9f6c85ad7b Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Tue, 27 May 2025 18:13:54 -0300
Subject: [PATCH] docs/exceptions: minor improvements

Add section label and doc reference, add another term to Common terms
section.

Tried to also improve readability for the Midstream behavior tables:
- Highlight key-words when differences are only in `do` vs `no`.
- Change order of sentences in certain descriptions, to align with the
  steps those happen for the engine.
---
 .../configuration/exception-policies.rst      | 26 ++++++++++---------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/doc/userguide/configuration/exception-policies.rst b/doc/userguide/configuration/exception-policies.rst
index af3d61bcdb..43b8292a02 100644
--- a/doc/userguide/configuration/exception-policies.rst
+++ b/doc/userguide/configuration/exception-policies.rst
@@ -15,6 +15,7 @@ available directly via the :ref:`stats settings<suricata_yaml_outputs>`.
 For developers or for researching purposes, there are also simulation options
 exposed in debug mode and passed via command-line. These exist to force or
 simulate failures or errors and understand Suricata behavior under such conditions.
+See :any:`command-line-exception-policies` for those.
 
 .. _master-switch:
 
@@ -144,8 +145,8 @@ midstream pick-ups enabled or not and the various exception policy values:
      - Midstream pick-up sessions ENABLED (stream.midstream=true)
      - Midstream pick-up sessions DISABLED (stream.midstream=false)
    * - Ignore
-     - Session and app-layer traffic tracked and parsed, log app-layer traffic, do detection.
-     - Session not tracked. No app-layer parsing or logging. No detection. No stream reassembly.
+     - Session and app-layer traffic tracked and parsed, log app-layer traffic, **do** detection.
+     - Session not tracked. No app-layer parsing or logging. No stream reassembly. No detection.
    * - Drop-flow
      - Not valid.*
      - Not valid.*
@@ -156,14 +157,14 @@ midstream pick-ups enabled or not and the various exception policy values:
      - Not valid.*
      - Session not tracked, flow REJECTED.
    * - Pass-flow
-     - Session and app-layer traffic tracked and parsed, log app-layer traffic, no detection.
-     - Session not tracked. No app-layer parsing or logging. No detection. No stream reassembly.
+     - Session and app-layer traffic tracked and parsed, log app-layer traffic, **no** detection.
+     - Session not tracked. No app-layer parsing or logging. No stream reassembly. No detection.
    * - Pass-packet
      - Not valid.*
      - Not valid.*
    * - Bypass
      - Not valid.*
-     - Session not tracked. No app-layer parsing or logging. No detection. No stream reassembly.
+     - Session not tracked. No app-layer parsing or logging. No stream reassembly. No detection.
    * - Auto
      - Midstream policy applied: "ignore". Same behavior.
      - Midstream policy applied: "ignore". Same behavior.
@@ -182,11 +183,11 @@ whole flow.
      - Midstream pick-up sessions ENABLED (stream.midstream=true)
      - Midstream pick-up sessions DISABLED (stream.midstream=false)
    * - Ignore
-     - Session and app-layer traffic tracked and parsed, log app-layer traffic, do detection.
-     - Session not tracked. No app-layer parsing or logging. No detection. No stream reassembly.
+     - Session and app-layer traffic tracked and parsed, log app-layer traffic, **do** detection.
+     - Session not tracked. No app-layer parsing or logging. No stream reassembly. No detection.
    * - Drop-flow
      - Not valid.*
-     - Session not tracked. No app-layer parsing or logging. No detection. No stream reassembly.
+     - Session not tracked. No app-layer parsing or logging. No stream reassembly. No detection.
        Flow DROPPED.
    * - Drop-packet
      - Not valid.*
@@ -195,14 +196,14 @@ whole flow.
      - Not valid.*
      - Session not tracked, flow DROPPED and REJECTED.
    * - Pass-flow
-     - Track session, parse and log app-layer traffic, no detection.
-     - Session not tracked. No app-layer parsing or logging. No detection. No stream reassembly.
+     - Track session, parse and log app-layer traffic, **no** detection.
+     - Session not tracked. No app-layer parsing or logging. No stream reassembly. No detection.
    * - Pass-packet
      - Not valid.*
      - Not valid.*
    * - Bypass
      - Not valid.*
-     - Session not tracked. No app-layer parsing or logging. No detection. No stream reassembly.
+     - Session not tracked. No app-layer parsing or logging. No stream reassembly. No detection.
        Packets ALLOWED.
    * - Auto
      - Midstream policy applied: "ignore". Same behavior.
@@ -299,6 +300,7 @@ Suricata logs only the summary. If any further investigation is needed, it
 is recommended to enable per-app-proto exception policy error counters
 temporarily (for more, read :ref:`stats configuration<suricata_yaml_outputs>`).
 
+.. _command-line-exception-policies:
 
 Command-line Options for Simulating Exceptions
 ==============================================
@@ -337,6 +339,6 @@ Glossary
 Common abbreviations
 --------------------
 
-- applayer: application layer protocol
+- applayer/ app-layer: application layer protocol
 - memcap: (maximum) memory capacity available
 - defrag: defragmentation
-- 
2.47.2