Suricata

It would be useful to have a way to indicate that a rule with a flowbit check should only be checked in the event that the set flowbit appears in the flow.

This could reduce the number of checks on signatures with poor fast_pattern candidates and time spent matching only to throw away the match because the flowbit was not present.

For example:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HTTP POST Form Observed After Successful Credential Theft"; flowbits:isset,ET.genericphish; file_data; content:"method=|22|post|22|"; nocase; sid:123; rev:1;)


This rule can be very useful for generic phish detection, but because the only content we're looking for is the post, we incur lots and lots of checks as thats the only available match for fast_pattern