Snort mailing list archives
Fast Pattern Matcher not using http_raw_* content strings?
From: Mike Cox <mike.cox52 () gmail com>
Date: Tue, 30 Sep 2014 13:59:45 -0400
I apologize if this is an elementary question but the Snort manual wasn't *entirely* clear on this. From what I can tell, the Fast Pattern Matcher isn't using content matches if they have a 'http_raw_*' keyword, even if they are the longest content match. However, non-'raw' HTTP Inspect keywords (e.g. "http_uri", "http_header", etc.) are used by the Fast Pattern Matcher and it searches the normalized buffer. Is this correct? Is this the case for all Snort versions that use the HTTP Inspect preprocessor and the Fast Pattern Matcher? Thanks! -Mike Cox
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Fast Pattern Matcher not using http_raw_* content strings? Mike Cox (Sep 30)