Re: Fast Pattern Matcher not using http_raw_* content strings?

[Mike Cox <mike.cox52 () gmail com>]

Nevermind.  I found a newer Snort manual as well as this helpful error
message:

Cannot use the fast_pattern content modifier for a lone http
cookie/http raw uri /http raw header /http raw cookie /status code /
status msg /http method buffer content.


Good to know, thanks!

-Mike Cox

On Tue, Sep 30, 2014 at 1:59 PM, Mike Cox <mike.cox52 () gmail com> wrote:

> I apologize if this is an elementary question but the Snort manual wasn't
> *entirely* clear on this.  From what I can tell, the Fast Pattern Matcher
> isn't using content matches if they have a 'http_raw_*' keyword, even if
> they are the longest content match.  However, non-'raw' HTTP Inspect
> keywords (e.g. "http_uri", "http_header", etc.) are used by the Fast
> Pattern Matcher and it searches the normalized buffer.  Is this correct?
> Is this the case for all Snort versions that use the HTTP Inspect
> preprocessor and the Fast Pattern Matcher?
>
> Thanks!
>
> -Mike Cox
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!