Overview: content Keyword Fast Pattern Matcher
Note | These options are
not supported when configuring the
|
The fast pattern matcher quickly determines which rules to evaluate before passing a packet to the rules engine. This initial determination improves performance by significantly reducing the number of rules used in packet evaluation.
By default, the fast pattern matcher searches packets for the longest content specified in a rule; this is to eliminate as much as possible needless evaluation of a rule. Consider the following example rule fragment:
alert tcp any any -> any 80 (msg:"Exploit"; content:"GET";
http_method; nocase; content:"/exploit.cgi"; http_uri;
nocase;)
Almost all HTTP client requests contain the content
GET
, but few will
contain the content
/exploit.cgi
. Using
GET
as the fast
pattern content would cause the rules engine to evaluate this rule in most
cases and would rarely result in a match. However, most client
GET
requests would
not be evaluated using
/exploit.cgi
, thus
increasing performance.
The rules engine evaluates the packet against the rule only when
the fast pattern matcher detects the specified content. For example, if one
content
keyword in a
rule specifies the content
short
, another
specifies
longer
, and a third
specifies
longest
, the fast
pattern matcher will use the content
longest
and the rule
will be evaluated only if the rules engine finds
longest
in the
payload.