Feature #4855: rules: refactor rule parsing into multi-stage parser
rule parsing: wrong content checked for fast_pattern (snort compatibility)
Given a rule like:
content:"AAAA"; fast_pattern:only; content:"BBBB"; http_raw_uri; content:"AAAA"; distance:0; http_raw_uri;
The distance will end up checking the the first occurrence of content for "fast_pattern:only" instead of the previous content, as its not looking for the previous content on the http_raw_uri list.
If the rule is modified to have the distance after http_raw_uri, eg:
content:"AAAA"; fast_pattern:only; content:"BBBB"; http_raw_uri; content:"AAAA"; http_raw_uri; distance:0;
then the correct contents is checked as the rule parsing context is on the correct list.
However, from the rule writers perspective these 2 variations should result in the same outcome.