doc: Move fast_pattern and prefilter to dedicated page

8 years ago · bb1bf2643d
parent fea037fda8
commit bb1bf2643d
6 changed files with 25 additions and 32 deletions
--- a/doc/userguide/rules/differences-from-snort.rst
+++ b/doc/userguide/rules/differences-from-snort.rst
@ -561,7 +561,7 @@ Fast Pattern
   when doing fast pattern matching, something the other algorithims and
   Snort do not do.

-  :doc:`fast-pattern`
+-  :ref:`rules-keyword-fast_pattern`

 Don't Cross The Streams
 -----------------------
--- a/doc/userguide/rules/http-keywords.rst
+++ b/doc/userguide/rules/http-keywords.rst
@ -706,9 +706,3 @@ pcre
 ----

 For information about the ``pcre`` keyword, check the :doc:`pcre` page.
-
-fast_pattern
------------
-
-For information about the ``fast_pattern`` keyword, check the
-:doc:`fast-pattern` page.
--- a/doc/userguide/rules/index.rst
+++ b/doc/userguide/rules/index.rst
@ -6,8 +6,8 @@ Suricata Rules
   intro
   meta
   header-keywords
-   prefilter
   payload-keywords
+   prefilter-keywords
   http-keywords
   flow-keywords
   flowint
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@ -6,7 +6,6 @@ Payload Keywords
   :maxdepth: 2

   pcre
-   fast-pattern

 Payload keywords inspect the content of the payload of a packet or
 stream.
@ -303,8 +302,3 @@ pcre
 ----

 For information about pcre check the :doc:`pcre` page.
-
-fast_pattern
------------
-
-For information about fast_pattern check the :doc:`fast-pattern` page.
--- a/doc/userguide/rules/prefilter-keywords.rst
+++ b/doc/userguide/rules/prefilter-keywords.rst
@ -1,6 +1,11 @@
-Fast Pattern
-============
+=====================
+Prefiltering Keywords
+=====================
+
+.. _rules-keyword-fast_pattern:

+fast_pattern
+============
 .. toctree::

   fast-pattern-explained
@ -41,7 +46,7 @@ Fast-pattern can also be combined with all previous mentioned
 keywords, and all mentioned HTTP-modifiers.

 fast_pattern:only
-----------------
+~~~~~~~~~~~~~~~~~

 Sometimes a signature contains only one content. In that case it is
 not necessary Suricata will check it any further after a match has
@ -50,8 +55,8 @@ matches. Suricata notices this automatically. In some signatures this
 is still indicated with 'fast_pattern:only;'. Although Suricata does
 not need fast_pattern:only, it does support it.

-Fast_pattern: 'chop'
--------------------
+fast_pattern:'chop'
+~~~~~~~~~~~~~~~~~~~~

 If you do not want the MPM to use the whole content, you can use
 fast_pattern 'chop'.
@ -61,3 +66,16 @@ For example::
  content: “aaaaaaaaabc”; fast_pattern:8,4;

 This way, MPM uses only the last four characters.
+
+
+prefilter
+=========
+The prefilter engines for other non-MPM keywords can be enabled in specific rules by using the 'prefilter' keyword.
+
+In the following rule the TTL test will be used in prefiltering instead of the single byte pattern:
+
+::
+
+  alert ip any any -> any any (ttl:123; prefilter; content:"a"; sid:1;)
+
+For more information on how to configure the prefilter engines, see :ref:`suricata-yaml-prefilter`
--- a/doc/userguide/rules/prefilter.rst
+++ b/doc/userguide/rules/prefilter.rst
@ -1,13 +0,0 @@
-Prefilter
-=========
-
-The prefilter engines for other non-MPM keywords can be enabled in specific rules by using the 'prefilter' keyword.
-
-In the following rule the TTL test will be used in prefiltering instead of the single byte pattern:
-
-::
-
-  alert ip any any -> any any (ttl:123; prefilter; content:"a"; sid:1;)
-
-For more information on how to configure the prefilter engines, see :ref:`suricata-yaml-prefilter`
-