Project

General

Profile

Actions

Feature #3688

closed

Re-implement fast_pattern:only; in some way

Added by Jason Williams almost 4 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

I've been working on updating the Suricata 5 ET/ETPRO set over the past few weeks to proper notation and it is very apparent to me that we need some kind of way to do the below.

If i have a rule that is looking for the string "test" at the beginning of http.user_agent, i can write a rule snippet such as:

http.user_agent; content:"test"; startswith;

Which is fine, unless it is the fast pattern which would cause many unnecessary checks on things that are not in the buffer i want.

So to get a good fast_pattern on this i have to revert to using http.header

http.header; content:"User-Agent|3a 20|test"; fast_pattern;

So now i get a better fast_pattern match as its a more unique string in the flow, but i lost the ability to look in the smaller faster buffer of http.user_agent.

I would like to be able to do the below in suri rule language:

content:"User-Agent|3a 20|test"; fast_pattern:only; http.user_agent; content:"test"; startswith;

Actions

Also available in: Atom PDF