[Snort-sigs] Fast Pattern Matcher not using http_raw_* content strings?

Joel Esler (jesler) jesler at ...3865...
Wed Oct 1 17:04:45 EDT 2014

Sorry I didn’t answer you back on this sooner Mike, but I am glad you found the answer!

Joel Esler
Open Source Manager
Threat Intelligence Team Lead

On Oct 1, 2014, at 4:36 PM, Mike Cox <mike.cox52 at ...2420...<mailto:mike.cox52 at ...2420...>> wrote:

Nevermind.  I found a newer Snort manual as well as this helpful error message:

Cannot use the fast_pattern content modifier for a lone http cookie/http raw uri /http raw header /http raw cookie /status code / status msg /http method buffer content.

Good to know, thanks!

-Mike Cox

On Tue, Sep 30, 2014 at 1:59 PM, Mike Cox <mike.cox52 at ...2420...<mailto:mike.cox52 at ...2420...>> wrote:
I apologize if this is an elementary question but the Snort manual wasn't *entirely* clear on this.  From what I can tell, the Fast Pattern Matcher isn't using content matches if they have a 'http_raw_*' keyword, even if they are the longest content match.  However, non-'raw' HTTP Inspect keywords (e.g. "http_uri", "http_header", etc.) are used by the Fast Pattern Matcher and it searches the normalized buffer.  Is this correct?  Is this the case for all Snort versions that use the HTTP Inspect preprocessor and the Fast Pattern Matcher?


-Mike Cox

Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141001/fd27ea1b/attachment.html>

More information about the Snort-sigs mailing list