[Snort-sigs] fast_pattern rules option

Zultan zultan at ...1298...
Thu Jul 9 06:50:30 EDT 2009

Saw Matt's post on the VRT blog about rule content matches, and using the fast_patten rule option.


The VRT blog requires a Google account to reply.  I don't have one, nor do I need or want one, so I'll post my question here.


What we're sure the first few bytes of data will be unique?  If they match, only then inspect the rest of the packet.

For example, looking for "content:"|16 03|"; depth:2;" on port 443 to identify the initial SSL/TLS packets.

Or similarly, "content:"GET "; depth:4;" on port 80 to only further inspect web-browser GET requests.

Do we now need to add fast_pattern to get it to use these qualifiers first?


...content:"|16 03|"; depth:2; fast_pattern;...


...content:"GET "; depth:4; fast_pattern;...


Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com

More information about the Snort-sigs mailing list