Fast_pattern and prefilter

Victor · January 6, 2022, 3:12pm

I have some questions about how fast_pattern and prefilter are used.

Is fast_pattern only used with the payload keyword 'content? The Suricata 6.00 user guide says that the prefilter engines for other non-MPM keywords can be enabled in specific rules by using the ‘prefilter’ keyword.

Which keywords are non-MPM?

Is the payload keyword ‘content’ a MPM keyword? What are other MPM keywords?

I will appreciate very much if someone can provide information for my questions.

Victor

vjulien · January 8, 2022, 7:10am

Yes, fast_pattern is only used with content.

To see which keywords support prefilter you can use
suricata --list-keywords=all

This shows a per keyword features field

tcp.flags:
	Description: detect which flags are set in the TCP header
	Features: prefilter
	Documentation: https://suricata.readthedocs.io/en/latest/rules/header-keywords.html#tcp-flags

Quick and dirty grep foo

suricata --list-keywords=all|grep -B2 prefilter|grep -v -P "^(\t|\-)"
app-layer-protocol:
tcp.ack:
tcp.seq:
tcp.flags:
fragbits:
fragoffset:
ttl:
itype:
icode:
icmp_id:
icmp_seq:
dsize:
flow:
id:
template2:
icmpv6.mtu:
tcp.mss:
prefilter:

Victor · January 10, 2022, 11:14pm

Thanks for the information. It is helpful.

Topic		Replies	Views
Content filtering does not seem to work without other payload keywords Rules rules , suricata	3	66	April 4, 2024
Fast_pattern and tranformations Help	2	351	August 17, 2021
Suricata.yaml configuration about "toserver_chunk_size" Rules rules	3	464	September 19, 2021
MPM context explanation Help	3	1060	October 6, 2021
Bypassing encrypted traffic does not seem to work Help	8	1505	December 10, 2021

Fast_pattern and prefilter

Related Topics