Fast_pattern and tranformations

How does suricata deal with a content match with a transformation applied to it which also acts as the fast_pattern?

for example:

dns.query; dotprefix; content:".google.com";

I assume there is some “magic” occurring that applies the fast_pattern of “google.com”?

The engine-analysis shows the fast_pattern includes the initial period

    Fast Pattern analysis:
        Fast pattern matcher:         Flags: Nocase
        Fast pattern set: no
        Fast pattern only set: no
        Fast pattern chop set: no
        Original content: .google.com
        Final content: .google.com

The transformation is applied before the MPM (multi pattern matcher) runs.

1 Like

Thanks for the confirmation! I was hoping that was the case.