[Snort-sigs] Fast Pattern Matcher not using http_raw_* content strings?

Mike Cox mike.cox52 at ...2420...
Wed Oct 1 16:36:03 EDT 2014

Nevermind.  I found a newer Snort manual as well as this helpful error

Cannot use the fast_pattern content modifier for a lone http
cookie/http raw uri /http raw header /http raw cookie /status code /
status msg /http method buffer content.

Good to know, thanks!

-Mike Cox

On Tue, Sep 30, 2014 at 1:59 PM, Mike Cox <mike.cox52 at ...2420...> wrote:

> I apologize if this is an elementary question but the Snort manual wasn't
> *entirely* clear on this.  From what I can tell, the Fast Pattern Matcher
> isn't using content matches if they have a 'http_raw_*' keyword, even if
> they are the longest content match.  However, non-'raw' HTTP Inspect
> keywords (e.g. "http_uri", "http_header", etc.) are used by the Fast
> Pattern Matcher and it searches the normalized buffer.  Is this correct?
> Is this the case for all Snort versions that use the HTTP Inspect
> preprocessor and the Fast Pattern Matcher?
> Thanks!
> -Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141001/424080cd/attachment.html>

More information about the Snort-sigs mailing list