doc: Replace images of tables and rules with text in rules docs

In some chapters of the rules documentation, many sections used examples of rules, but these were inserted into images. These have been replaced by text and HTML emphasis.

Additionally, some tables embedded into images were also replaced by reST tables.

doc/userguide/rules/header-keywords.rst

@@ -1,5 +1,6 @@
 Header Keywords
 ===============
+.. role:: example-rule-emphasis
 
 IP-keywords
 -----------
@@ -27,7 +28,9 @@ routing loops.
 
 Example of the ttl keyword in a rule:
 
-.. image:: header-keywords/ttl.png
+.. container:: example-rule
+
+    alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; :example-rule-emphasis:`ttl:0;` reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9;)
 
 Ipopts
 ^^^^^^
@@ -37,7 +40,20 @@ set. Ipopts has to be used at the beginning of a rule. You can only
 match on one option per rule. There are several options on which can
 be matched. These are:
 
-.. image:: header-keywords/ipopts.png
+=========  =============================
+IP Option  Description
+=========  =============================
+rr         Record Route
+eol        End of List
+nop        No Op
+ts         Time Stamp
+sec        IP Security
+esec       IP Extended Security
+lsrr       Loose Source Routing
+ssrr       Strict Source Routing
+satid      Stream Identifier
+any        any IP options are set
+=========  =============================
 
 Format of the ipopts keyword::
 
@@ -49,7 +65,9 @@ For example::
 
 Example of ipopts in a rule:
 
-.. image:: header-keywords/ipopts_rule.png
+.. container:: example-rule
+
+    alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; :example-rule-emphasis:`ipopts:ssrr;` reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3;)
 
 sameip
 ^^^^^^
@@ -64,7 +82,9 @@ keyword is::
 
 Example of sameip in a rule:
 
-.. image:: header-keywords/sameip.png
+.. container:: example-rule
+
+    alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; :example-rule-emphasis:`sameip;` reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9;)
 
 ip_proto
 ^^^^^^^^
@@ -86,7 +106,9 @@ http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
 
 Example of ip_proto in a rule:
 
-.. image:: header-keywords/ip_proto.png
+.. container:: example-rule
+
+    alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; :example-rule-emphasis:`ip_proto:103;` reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4;)
 
 The named variante of that example would be::
 
@@ -110,7 +132,9 @@ Format of id::
 
 Example of id in a rule:
 
-.. image:: header-keywords/id.png
+.. container:: example-rule
+
+    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; :example-rule-emphasis:`id: 1;` dsize: 24; flags: S,12; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13;)
 
 Geoip
 ^^^^^
@@ -174,7 +198,9 @@ Format::
 
 Example of fragbits in a rule:
 
-.. image:: header-keywords/fragbits.png
+.. container:: example-rule
+
+   alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; :example-rule-emphasis:`fragbits: M;` fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 Fragoffset
 ^^^^^^^^^^
@@ -199,7 +225,9 @@ Format of fragoffset::
 
 Example of fragoffset in a rule:
 
-.. image:: header-keywords/fragoffset.png
+.. container:: example-rule
+
+   alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: M; :example-rule-emphasis:`fragoffset: >0;` reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
 TCP keywords
 ------------
@@ -226,7 +254,9 @@ Example::
 
 Example of seq in a signature:
 
-.. image:: header-keywords/seq.png
+.. container:: example-rule
+
+    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; :example-rule-emphasis:`seq:0;` reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;)
 
 Example of seq in a packet (Wireshark):
 
@@ -249,7 +279,9 @@ Format of ack::
 
 Example of ack in a signature:
 
-.. image:: header-keywords/ack.png
+.. container:: example-rule
+
+    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; :example-rule-emphasis:`ack:0;` flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;)
 
 Example of ack in a packet (Wireshark):
 
@@ -275,7 +307,9 @@ The format of the window keyword::
 
 Example of window in a rule:
 
-.. image:: header-keywords/Window.png
+.. container:: example-rule
+
+    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED typot trojan traffic"; flow:stateless; flags:S,12; :example-rule-emphasis:`window:55808;` reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;)
 
 ICMP keywords
 -------------
@@ -316,7 +350,44 @@ This example looks for an ICMP type greater than 10::
 
 Example of the itype keyword in a signature:
 
-.. image:: header-keywords/icmp_type.png
+.. container:: example-rule
+
+    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; :example-rule-emphasis:`itype:8;` classtype:attempted-recon; sid:2100478; rev:4;)
+
+The following lists all ICMP types known at the time of writing. A recent table can be found `at the website of IANA <https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml>`_
+
+==========  ==========================================================
+ICMP Type   Name
+==========  ==========================================================
+0           Echo Reply
+3           Destination Unreachable
+4           Source Quench
+5           Redirect
+6           Alternate Host Address
+8           Echo
+9           Router Advertisement
+10          Router Solicitation
+11          Time Exceeded
+12          Parameter Problem
+13          Timestamp
+14          Timestamp Reply
+15          Information Request
+16          Information Reply
+17          Address Mask Request
+18          Address Mask Reply
+30          Traceroute
+31          Datagram Conversion Error
+32          Mobile Host Redirect
+33          IPv6 Where-Are-You
+34          IPv6 I-Am-Here
+35          Mobile Registration Request
+36          Mobile Registration Reply
+37          Domain Name Request
+38          Domain Name Reply
+39          SKIP
+40          Photuris
+41          Experimental mobility protocols such as Seamoby
+==========  ==========================================================
 
 icode
 ^^^^^
@@ -338,7 +409,51 @@ This example looks for an ICMP code greater than 5::
 
 Example of the icode keyword in a rule:
 
-.. image:: header-keywords/icode.png
+.. container:: example-rule
+
+    alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL MISC Time-To-Live Exceeded in Transit"; :example-rule-emphasis:`icode:0;` itype:11; classtype:misc-activity; sid:2100449; rev:7;)
+
+The following lists the meaning of all ICMP types. When a code is not listed,
+only type 0 is defined and has the meaning of the ICMP code, in the table above.
+A recent table can be found `at the website of IANA <https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml>`_
+
+==========  ==========  =========================================================================
+ICMP Code   ICMP Type   Description
+==========  ==========  =========================================================================
+3           - 0         - Net Unreachable
+            - 1         - Host Unreachable
+            - 2         - Protocol Unreachable
+            - 3         - Port Unreachable
+            - 4         - Fragmentation Needed and Don't Fragment was Set
+            - 5         - Source Route Failed
+            - 6         - Destination Network Unknown
+            - 7         - Destination Host Unknown
+            - 8         - Source Host Isolated
+            - 9         - Communication with Destination Network is Administratively Prohibited
+            - 10        - Communication with Destination Host is Administratively Prohibited
+            - 11        - Destination Network Unreachable for Type of Service
+            - 12        - Destination Host Unreachable for Type of Service
+            - 13        - Communication Administratively Prohibited
+            - 14        - Host Precedence Violation
+            - 15        - Precedence cutoff in effect
+5           - 0         - Redirect Datagram for the Network (or subnet)
+            - 1         - Redirect Datagram for the Host
+            - 2         - Redirect Datagram for the Type of Service and Network
+            - 3         - Redirect Datagram for the Type of Service and Host
+9           - 0         - Normal router advertisement
+            - 16        - Doest not route common traffic
+11          - 0         - Time to Live exceeded in Transit
+            - 1         - Fragment Reassembly Time Exceeded
+12          - 0         - Pointer indicates the error
+            - 1         - Missing a Required Option
+            - 2         - Bad Length
+40          - 0         - Bad SPI
+            - 1         - Authentication Failed
+            - 2         - Decompression Failed
+            - 3         - Decryption Failed
+            - 4         - Need Authentication
+            - 5         - Need Authorization
+==========  ==========  =========================================================================
 
 icmp_id
 ^^^^^^^
@@ -360,7 +475,9 @@ This example looks for an ICMP ID of 0::
 
 Example of the icmp_id keyword in a rule:
 
-.. image:: header-keywords/icmp_id.png
+.. container:: example-rule
+
+    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; :example-rule-emphasis:`icmp_id:0;` icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4;)
 
 icmp_seq
 ^^^^^^^^
@@ -381,12 +498,6 @@ This example looks for an ICMP Sequence of 0::
 
 Example of icmp_seq in a rule:
 
-.. image:: header-keywords/icmp_seq.png
-
-Message types and numbers:
-
-.. image:: header-keywords/ICMP_types.png
-
-Meaning of type-numbers en codes combined:
+.. container:: example-rule
 
-.. image:: header-keywords/ICMP_type_code.png
+    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; :example-rule-emphasis:`icmp_seq:0;` itype:8; classtype:attempted-recon; sid:2100478; rev:4;)

doc/userguide/rules/http-keywords.rst

@@ -2,6 +2,7 @@
 
 HTTP Keywords
 =============
+.. role:: example-rule-emphasis
 
 There are additional content modifiers that can provide protocol-specific
 capabilities at the application layer. More information can be found at
@@ -193,7 +194,9 @@ request URI buffer.
 
 Example of ``uricontent``:
 
-.. image:: http-keywords/uricontent.png
+.. container:: example-rule
+
+    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; :example-rule-emphasis:`uricontent:"/frame.html?";` urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;)
 
 The difference between ``http_uri`` and ``uricontent`` is the syntax:
 
@@ -229,7 +232,9 @@ Example:
 
 Example of ``urilen`` in a signature:
 
-.. image:: http-keywords/urilen1.png
+.. container:: example-rule
+
+    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/frame.html?"; :example-rule-emphasis:`urilen: > 80;` classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;)
 
 You can also append ``norm`` or ``raw`` to define what sort of buffer you want
 to use (normalized or raw buffer).

doc/userguide/rules/intro.rst

@@ -15,9 +15,20 @@ A rule/signature consists of the following:
 
   The action, header and rule-options.
 
+.. role:: example-rule-action
+.. role:: example-rule-header
+.. role:: example-rule-options
+.. role:: example-rule-emphasis
+
 Example of a signature:
 
-.. image:: intro/intro_sig.png
+.. container:: example-rule
+
+    :example-rule-action:`drop` :example-rule-header:`tcp $HOME_NET any -> $EXTERNAL_NET any` :example-rule-options:`(msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)`
+
+In this example, :example-rule-action:`red` is the action,
+:example-rule-header:`green` is the header and :example-rule-options:`blue`
+are the options.
 
 Action
 ------
@@ -25,11 +36,9 @@ Action
 For more information read 'Action Order' see
 :ref:`suricata-yaml-action-order`.
 
-Example:
-
-.. image:: intro/action.png
+.. container:: example-rule
 
-In this example the red, bold-faced part is the action.
+    :example-rule-emphasis:`drop` tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
 
 Protocol
 --------
@@ -45,7 +54,9 @@ match if it concerns http-traffic.
 
 Example:
 
-.. image:: intro/protocol.png
+.. container:: example-rule
+
+    drop :example-rule-emphasis:`tcp` $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
 
 In this example the red, bold-faced part is the protocol.
 
@@ -83,13 +94,11 @@ You can not write a signature using EXTERNAL_NET because it stands for
 
 Example of source and destination in a signature:
 
-.. image:: intro/Source.png
+.. container:: example-rule
 
-The red, bold-faced part is the source.
+    drop tcp :example-rule-emphasis:`$HOME_NET` any -> :example-rule-emphasis:`$EXTERNAL_NET` any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
 
-.. image:: intro/destination.png
-
-The red, bold-faced part is the destination.
+*The first emphasized part is the source, the second is the destination (note the direction of the directional arrow).*
 
 Ports (source-and destination-port)
 -----------------------------------
@@ -120,10 +129,11 @@ Example::
 
 Example of ports in a signature:
 
-.. image:: intro/Source-port.png
+.. container:: example-rule
 
+    drop tcp $HOME_NET :example-rule-emphasis:`any` -> $EXTERNAL_NET :example-rule-emphasis:`any` (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
 
-.. image:: intro/Dest_port.png
+*The first emphasized part is the source, the second is the destination (note the direction of the directional arrow).*
 
 In this example, the red, bold-faced part is the port.
 
@@ -152,7 +162,9 @@ same order/direction as the payload.
 
 Example of direction in a signature:
 
-.. image:: intro/Direction.png
+.. container:: example-rule
+
+    drop tcp $HOME_NET any :example-rule-emphasis:`->` $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
 
 In this example the red, bold-faced part is the direction.
 

doc/userguide/rules/meta.rst

@@ -1,6 +1,8 @@
 Meta-settings
 =============
 
+.. role:: example-rule-emphasis
+
 Meta-settings have no effect on Suricata's inspection; they do have an effect on the way Suricata reports events.
 
 msg (message)
@@ -26,6 +28,10 @@ It is a convention that msg is always the first keyword of a signature.
 
 Another example of msg in a signature:
 
+.. container:: example-rule
+
+    drop tcp $HOME_NET any -> $EXTERNAL_NET any (:example-rule-emphasis:`msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)";` flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
+
 In this example the red, bold-faced part is the msg.
 
 .. note:: The following characters must be escaped inside the msg:
@@ -44,7 +50,9 @@ The format of sid is:
 
 Example of sid in a signature:
 
-.. image:: meta/sid.png
+.. container:: example-rule
+
+    drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; :example-rule-emphasis:`sid:2008124;` rev:2;)
 
 In this example the red, bold-faced part is the sid.
 
@@ -65,7 +73,9 @@ of all keywords.*
 
 Example of rev in a signature:
 
-.. image:: meta/rev.png
+.. container:: example-rule
+
+    drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; :example-rule-emphasis:`rev:2;`)
 
 In this example the red, bold-faced part is the rev.
 
@@ -80,7 +90,10 @@ the alert.
 
 Example of gid in a signature:
 
-.. image:: meta/gid.png
+.. container:: example-rule
+
+    10/15/09-03:30:10.219671  [**] [:example-rule-emphasis:`1`:2008124:2] ET TROJAN Likely Bot Nick in IRC (USA +..) [**] [Classification: A Network Trojan was Detected]
+    [Priority: 3] {TCP} 192.168.1.42:1028 -> 72.184.196.31:6667
 
 This is an example from the fast.log.
 In the part [1:2008124:2], 1 is the gid (2008124 is the the sid and 2 the rev).
@@ -102,14 +115,21 @@ Example classtype::
   config classification: web-application-attack,Web Application Attack,1
   config classification: not-suspicious,Not Suspicious Traffic,3
 
-.. image:: meta/classification.png
+=======================  ======================  ===========
+classtype                Alert                   Priority
+=======================  ======================  ===========
+web-application-attack   Web Application Attack  1
+not-suspicious           Not Suspicious Traffic  3
+=======================  ======================  ===========
 
 In this example you see how classtype appears in signatures, the
 classification.config and the alert.
 
 Another example of classtype in a signature:
 
-.. image:: meta/classtype.png
+.. container:: example-rule
+
+    drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; :example-rule-emphasis:`classtype:trojan-activity;` sid:2008124; rev:2;)
 
 In this example the red, bold-faced part is the classtype.
 
@@ -152,7 +172,9 @@ For example bugtraq will be replaced by the full url:
 
 Example of reference in a signature:
 
-.. image:: meta/reference.png
+.. container:: example-rule
+
+    drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; :example-rule-emphasis:`reference:url,doc.emergingthreats.net/2008124;` classtype:trojan-activity; sid:2008124; rev:2;)
 
 In this example the red, bold-faced part is the action.
 

doc/userguide/rules/payload-keywords.rst

@@ -1,5 +1,6 @@
 Payload Keywords
 ================
+.. role:: example-rule-emphasis
 
 .. toctree::
    :maxdepth: 2
@@ -67,7 +68,9 @@ If you add nothing special to the signature, it will try to find a match in all
 
 Example:
 
-.. image:: payload-keywords/content.png
+.. container:: example-rule
+
+    drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; :example-rule-emphasis:`content:"NICK ";` pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
 
 In this example, the red, bold-faced part is the content.
 
@@ -249,7 +252,9 @@ Format::
 
 example of dsize in a rule:
 
-.. image:: payload-keywords/dsize.png
+.. container:: example-rule
+
+    alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"GPL DELETED EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; :example-rule-emphasis:`dsize:>268;` reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;)
 
 rpc
 ----
@@ -271,7 +276,9 @@ Format::
 
 Example of the rpc keyword in a rule:
 
-.. image:: payload-keywords/rpc.png
+.. container:: example-rule
+
+    alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; :example-rule-emphasis:`rpc:100009,*,*;` reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
 
 Replace
 -------