Fast_pattern and tranformations

How does suricata deal with a content match with a transformation applied to it which also acts as the fast_pattern?

for example:

dns.query; dotprefix; content:"";

I assume there is some “magic” occurring that applies the fast_pattern of “”?

The engine-analysis shows the fast_pattern includes the initial period

    Fast Pattern analysis:
        Fast pattern matcher:         Flags: Nocase
        Fast pattern set: no
        Fast pattern only set: no
        Fast pattern chop set: no
        Original content:
        Final content:

The transformation is applied before the MPM (multi pattern matcher) runs.

1 Like

Thanks for the confirmation! I was hoping that was the case.