Fast_pattern field

user555 · May 23, 2026, 8:21am

Good afternoon, dear colleagues. Please explain why some signatures do not contain an explicitly specified fast_pattern field?

vjulien · May 23, 2026, 5:31pm

Suricata will autoselect a pattern. The keyword is to have the rule write decide which pattern will be used explicitly.

user555 · May 23, 2026, 8:29pm

Thanks for the tip. I’ve already studied the heuristic fast-pattern selection algorithm. My experience shows that heuristic algorithms aren’t always effective. I’m curious why many rules don’t explicitly specify the fast-pattern. What’s the reason? One of my current goals is to develop a fast-pattern selection algorithm that chooses more efficiently.

user555 · May 23, 2026, 8:56pm

In my opinion, suricata is a work of art and our mission is to make it even better!

user555 · May 26, 2026, 8:02pm

For example, Let’s Encrypt as a fast_pattern might not be the best choice, in my opinion. content:“.gdn” would be better. Don’t you think? It’s shorter (better for SIMD) and appears less frequently (in my traffic).

== Sid: 2025190 ==
alert tls $EXTERNAL_NET any → $HOME_NET any (msg:“ET HUNTING Observed Let’s Encrypt Certificate for Suspicious TLD (.gdn)”; flow:established,to_client; tls.cert_subject; content:“.gdn”; endswith; tls.cert_issuer; content:“Let’s Encrypt”; classtype:bad-unknown; sid:2025190; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_16;)
Fast Pattern analysis:
Fast pattern matcher: TLS certificate issuer (tls.cert_issuer)
Flags: None
Fast pattern set: no
Fast pattern only set: no
Fast pattern chop set: no
Original content: Let’s Encrypt
Final content: Let’s Encrypt

== Sid: 2025190 ==
alert tls $EXTERNAL_NET any → $HOME_NET any (msg:“ET HUNTING Observed Let’s Encrypt Certificate for Suspicious TLD (.gdn)”; flow:established,to_client; tls.cert_subject; content:“.gdn”; endswith; tls.cert_issuer; content:“Let’s Encrypt”; classtype:bad-unknown; sid:2025190; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_16;)
Rule is App-layer TX inspecting.
App layer protocol is tls.
Fast Pattern “Let’s Encrypt” on “TLS certificate issuer (tls.cert_issuer)” buffer.
No warnings for this rule.