fast_pattern not always longest content string by default?

[Mike Cox <mike.cox52 () gmail com>]

Hi All,

I was looking thru some of my sigs with 'debug-print-fast-pattern' turned
on and noticed that the fast pattern string was not always the longest
content match by default.  Specifically, it appears that content matches in
(valid for fast_pattern) HTTP Inspect buffers (e.g. http_header, http_uri,
etc.) are taking priority.  For example, consider this sig:

alert tcp any any -> any $HTTP_PORTS (msg:"FP Test";
flow:established,to_server; content:"twitter.com"; http_header;
content:"hellow Twitter tweet"; sid:1234567;)

The longest content match is "hellow Twitter tweet" but when I look at the
fast pattern debug output, the fast pattern used is "twitter.com".

Having the HTTP Inspect buffers take priority makes sense because they will
be smaller than the entire packet and thus more efficient.  However, I do
not see this behavior documented in the manual which says, "the default
behavior of fast pattern determination is to use the longest content in the
rule..."

Can someone comment/confirm this?  It is looking like I may have to
review/tweak a plethora of sigs.... :(

Thanks!

-Mike Cox

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!