Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fast Pattern Matcher not using http_raw_* content strings?

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 1 Oct 2014 21:04:45 +0000
Sorry I didn’t answer you back on this sooner Mike, but I am glad you found the answer!

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

On Oct 1, 2014, at 4:36 PM, Mike Cox <mike.cox52 () gmail com<mailto:mike.cox52 () gmail com>> wrote:

Nevermind.  I found a newer Snort manual as well as this helpful error message:


Cannot use the fast_pattern content modifier for a lone http cookie/http raw uri /http raw header /http raw cookie 
/status code / status msg /http method buffer content.

Good to know, thanks!

-Mike Cox

On Tue, Sep 30, 2014 at 1:59 PM, Mike Cox <mike.cox52 () gmail com<mailto:mike.cox52 () gmail com>> wrote:
I apologize if this is an elementary question but the Snort manual wasn't *entirely* clear on this.  From what I can 
tell, the Fast Pattern Matcher isn't using content matches if they have a 'http_raw_*' keyword, even if they are the 
longest content match.  However, non-'raw' HTTP Inspect keywords (e.g. "http_uri", "http_header", etc.) are used by the 
Fast Pattern Matcher and it searches the normalized buffer.  Is this correct?  Is this the case for all Snort versions 
that use the HTTP Inspect preprocessor and the Fast Pattern Matcher?

Thanks!

-Mike Cox

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: