Suricata

Example the signature with sid: 498 should fire when visiting http://www.testmyids.com but fails when sid: 12757 is enabled as it contains a fast_pattern modified match and is inspecting the same payload as sid: 498. This worked previous to commit 6ca5dbc9e93d5af306a48ca86ee7bd67b8fbfade. I have attached a patch with a unittest showing this behavior. Please include it when you submit a patch that addresses the issue.

example rules:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime uncompressed PICT stack overflow attempt"; flow:to_client,established; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|"; distance:0; fast_pattern; content:"|82 01|"; distance:0; byte_test:4,<,50,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:2;)

alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:bad-unknown; sid:498; rev:7;)