[Snort-sigs] Fast Pattern Matcher not using http_raw_* content strings?

Mike Cox mike.cox52 at ...2420...
Tue Sep 30 13:59:45 EDT 2014


I apologize if this is an elementary question but the Snort manual wasn't
*entirely* clear on this.  From what I can tell, the Fast Pattern Matcher
isn't using content matches if they have a 'http_raw_*' keyword, even if
they are the longest content match.  However, non-'raw' HTTP Inspect
keywords (e.g. "http_uri", "http_header", etc.) are used by the Fast
Pattern Matcher and it searches the normalized buffer.  Is this correct?
Is this the case for all Snort versions that use the HTTP Inspect
preprocessor and the Fast Pattern Matcher?

Thanks!

-Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140930/0d371b9e/attachment.html>


More information about the Snort-sigs mailing list