How does suricata deal with a content match with a transformation applied to it which also acts as the fast_pattern?
for example:
dns.query; dotprefix; content:".google.com";
I assume there is some “magic” occurring that applies the fast_pattern of “google.com”?
The engine-analysis shows the fast_pattern includes the initial period
Fast Pattern analysis:
Fast pattern matcher: Flags: Nocase
Fast pattern set: no
Fast pattern only set: no
Fast pattern chop set: no
Original content: .google.com
Final content: .google.com