Actions
Bug #5013
openfast pattern discrepancy when using engine-analysis
Description
Using an example dns rule:
alert dns $HOME_NET any -> any any (msg:"DNS Lookup"; dns.query; content:"johny.bravo"; nocase; endswith; sid:111; rev:1; )
Running the engine analysis command:
/opt/suritest/bin/suricata -S test-dns.rules --engine-analysis -l logs/ -T
The results in
logs/rules_analysis.txt
and
logs/rules.json
differ in terms of fast_pattern (one says it is on the content buffer the other that fast_pattern does not exist)
== Sid: 111 ==
alert dns $HOME_NET any -> any any (msg:"DNS Lookup"; dns.query; content:"johny.bravo"; nocase; endswith; sid:111; rev:1; )
App layer protocol is dns.
Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "johny.bravo" on "dns request query (dns_query)" buffer.
Warning: TCP rule without a flow or flags option.
-Consider adding flow or flags to improve performance of this rule.
{
"raw": "alert dns $HOME_NET any -> any any (msg:\"DNS Lookup\"; dns.query; content:\"johny.bravo\"; nocase; endswith; sid:111; rev:1; )",
"id": 111,
"gid": 1,
"rev": 1,
"msg": "DNS Lookup",
"app_proto": "dns",
"requirements": [
"flow"
],
"flags": [
"dst_any",
"sp_any",
"dp_any",
"applayer",
"toserver",
"prefilter"
],
"pkt_engines": [],
"engines": [
{
"name": "dns_query",
"direction": "toserver",
"is_mpm": true,
"app_proto": "dns",
"progress": 1,
"matches": [
{
"name": "content",
"content": {
"pattern": "johny.bravo",
"length": 11,
"nocase": true,
"negated": false,
"starts_with": false,
"ends_with": true,
"is_mpm": true,
"no_double_inspect": true,
"fast_pattern": false
}
}
]
}
],
"lists": {},
"mpm": {
"buffer": "dns_query",
"pattern": "johny.bravo",
"length": 11,
"nocase": true,
"negated": false,
"starts_with": false,
"ends_with": true,
"is_mpm": true,
"no_double_inspect": true,
"fast_pattern": false
}
}
The question is which one is the accurate one.
Actions