[Snort-devel] fast_pattern not always longest content string by default?

Mike Cox mike.cox52 at ...2499...
Wed Oct 22 09:16:08 EDT 2014


Hi All,

I was looking thru some of my sigs with 'debug-print-fast-pattern' turned
on and noticed that the fast pattern string was not always the longest
content match by default.  Specifically, it appears that content matches in
(valid for fast_pattern) HTTP Inspect buffers (e.g. http_header, http_uri,
etc.) are taking priority.  For example, consider this sig:

alert tcp any any -> any $HTTP_PORTS (msg:"FP Test";
flow:established,to_server; content:"twitter.com"; http_header;
content:"hellow Twitter tweet"; sid:1234567;)

The longest content match is "hellow Twitter tweet" but when I look at the
fast pattern debug output, the fast pattern used is "twitter.com".

Having the HTTP Inspect buffers take priority makes sense because they will
be smaller than the entire packet and thus more efficient.  However, I do
not see this behavior documented in the manual which says, "the default
behavior of fast pattern determination is to use the longest content in the
rule..."

Can someone comment/confirm this?  It is looking like I may have to
review/tweak a plethora of sigs.... :(

Thanks!

-Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141022/c48b2767/attachment.html>


More information about the Snort-devel mailing list