Snort mailing list archives
Re: Fast Pattern Matcher not using http_raw_* content strings?
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 1 Oct 2014 21:04:45 +0000
Sorry I didn’t answer you back on this sooner Mike, but I am glad you found the answer! -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Oct 1, 2014, at 4:36 PM, Mike Cox <mike.cox52 () gmail com<mailto:mike.cox52 () gmail com>> wrote: Nevermind. I found a newer Snort manual as well as this helpful error message: Cannot use the fast_pattern content modifier for a lone http cookie/http raw uri /http raw header /http raw cookie /status code / status msg /http method buffer content. Good to know, thanks! -Mike Cox On Tue, Sep 30, 2014 at 1:59 PM, Mike Cox <mike.cox52 () gmail com<mailto:mike.cox52 () gmail com>> wrote: I apologize if this is an elementary question but the Snort manual wasn't *entirely* clear on this. From what I can tell, the Fast Pattern Matcher isn't using content matches if they have a 'http_raw_*' keyword, even if they are the longest content match. However, non-'raw' HTTP Inspect keywords (e.g. "http_uri", "http_header", etc.) are used by the Fast Pattern Matcher and it searches the normalized buffer. Is this correct? Is this the case for all Snort versions that use the HTTP Inspect preprocessor and the Fast Pattern Matcher? Thanks! -Mike Cox ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Fast Pattern Matcher not using http_raw_* content strings? Mike Cox (Oct 01)
- Re: Fast Pattern Matcher not using http_raw_* content strings? Joel Esler (jesler) (Oct 01)