[Snort-devel] fast_pattern not always longest content string by default?
kumba at ...2185...
Wed Oct 22 21:02:07 EDT 2014
I'll wager that this is a relic of Snort's early days as primarily an HTTP
traffic sniffer, before it became a more generic deep-packet inspection tool.
Something like this should get a mention in the Snort manual, though there are
several places where it states that the longest content match is the default,
yet doesn't differentiate between a normal content match and a content match
modified by an HTTP keyword. So, not a quick fix w/o refactoring the lingo in
a few spots.
On 10/22/2014 16:30, Josh Rosenbaum (jrosenba) wrote:
> Hi Mike,
> Sorry for this unfortunate news, but it looks like you will need tweak those
> sigs. I can confirm that if a fast_pattern keyword is not specified for a
> given rule, the default fast pattern is the longest HTTP buffer content.
> If no HTTP buffer content is present, then the fast pattern is the longest
> From: Mike Cox <mike.cox52 at ...2499...<mailto:mike.cox52 at ...2499...>>
> Date: Wednesday, October 22, 2014 at 8:16 AM
> Subject: [Snort-devel] fast_pattern not always longest content string by default?
> Hi All,
> I was looking thru some of my sigs with 'debug-print-fast-pattern' turned on
> and noticed that the fast pattern string was not always the longest content
> match by default. Specifically, it appears that content matches in (valid
> for fast_pattern) HTTP Inspect buffers (e.g. http_header, http_uri, etc.)
> are taking priority. For example, consider this sig:
> alert tcp any any -> any $HTTP_PORTS (msg:"FP Test";
> flow:established,to_server; content:"twitter.com<http://twitter.com>";
> http_header; content:"hellow Twitter tweet"; sid:1234567;)
> The longest content match is "hellow Twitter tweet" but when I look at the
> fast pattern debug output, the fast pattern used is
> Having the HTTP Inspect buffers take priority makes sense because they will
> be smaller than the entire packet and thus more efficient. However, I do
> not see this behavior documented in the manual which says, "the default
> behavior of fast pattern determination is to use the longest content in the
> Can someone comment/confirm this? It is looking like I may have to
> review/tweak a plethora of sigs.... :(
> -Mike Cox
More information about the Snort-devel