Project

General

Profile

Actions
Copy link

Feature #196

closed
WM PR

Keywords for which we don't support fast_pattern as a modifer should accept the sig and warn.

Feature #196: Keywords for which we don't support fast_pattern as a modifer should accept the sig and warn.

Added by Will Metcalf almost 16 years ago. Updated almost 16 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Pablo Rincon
Target version:
1.0.0
Effort:
Difficulty:
Label:

Description

"fast_pattern found inside the rule, without any preceding keywords"

The output above came from a fast_pattern modifier to a uricontent keyword. fast_pattern may not make sense or may not be possible for all keywords in suricata where it may make sense in snort. Since these are simply rule optimizations for snort, perhaps in cases such as this we should do the following..

1. Warn the user that the rule can not be optimized with fast_pattern; and the previous keyword they used.
2. Go ahead and parse the rule ignoring the fast_pattern modifier.

Files

Download all files
0001-Load-signatures-with-incompatible-fast_pattern-optio.patch (3.26 KB) 0001-Load-signatures-with-incompatible-fast_pattern-optio.patch Now it continue loading and warn with a message of compatiblity. Pablo Rincon, 06/30/2010 07:05 AM
0002-Updating-the-http-modifers-that-cannot-be-loaded-wit.patch (2.95 KB) 0002-Updating-the-http-modifers-that-cannot-be-loaded-wit.patch Updating the http modifers that cannot be loaded with fast_pattern Pablo Rincon, 06/30/2010 07:37 AM
0003-Print-also-the-Signature-raw-string.patch (2 KB) 0003-Print-also-the-Signature-raw-string.patch Pablo Rincon, 06/30/2010 10:20 AM
0005-Updating-other-http-modifiers-for-sigs-with-fast_pat.patch (3.02 KB) 0005-Updating-other-http-modifiers-for-sigs-with-fast_pat.patch Updating other http modifiers for sigs with fast_pattern option Pablo Rincon, 07/01/2010 05:16 AM
Actions
Copy link

Also available in: PDF Atom