[Snort-sigs] Fast Pattern Matcher not using http_raw_* content strings?
mike.cox52 at ...2420...
Wed Oct 1 16:36:03 EDT 2014
Nevermind. I found a newer Snort manual as well as this helpful error
Cannot use the fast_pattern content modifier for a lone http
cookie/http raw uri /http raw header /http raw cookie /status code /
status msg /http method buffer content.
Good to know, thanks!
On Tue, Sep 30, 2014 at 1:59 PM, Mike Cox <mike.cox52 at ...2420...> wrote:
> I apologize if this is an elementary question but the Snort manual wasn't
> *entirely* clear on this. From what I can tell, the Fast Pattern Matcher
> isn't using content matches if they have a 'http_raw_*' keyword, even if
> they are the longest content match. However, non-'raw' HTTP Inspect
> keywords (e.g. "http_uri", "http_header", etc.) are used by the Fast
> Pattern Matcher and it searches the normalized buffer. Is this correct?
> Is this the case for all Snort versions that use the HTTP Inspect
> preprocessor and the Fast Pattern Matcher?
> -Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs