Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Fast Pattern Matcher not using http_raw_* content strings?

From: Mike Cox <mike.cox52 () gmail com>
Date: Tue, 30 Sep 2014 13:59:45 -0400
I apologize if this is an elementary question but the Snort manual wasn't
*entirely* clear on this.  From what I can tell, the Fast Pattern Matcher
isn't using content matches if they have a 'http_raw_*' keyword, even if
they are the longest content match.  However, non-'raw' HTTP Inspect
keywords (e.g. "http_uri", "http_header", etc.) are used by the Fast
Pattern Matcher and it searches the normalized buffer.  Is this correct?
Is this the case for all Snort versions that use the HTTP Inspect
preprocessor and the Fast Pattern Matcher?

Thanks!

-Mike Cox

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: