While looking around what exactly happens for rule content matching, I came upon this commit:
As you can see, it comments out some lines. What would happen without this comment is that, when there’s an MPM match, it directly goes to the
match
section. As of right now, there needs to be an MPM match as well as an SPM match, which (I think) always happens since it’s the same content, however it means scanning twice.
In addition to this commit which was apparently meant to be temporary and has never been changed since, is that I’ve not been able to find the reasoning and roles behind MPM and SPM. All I’ve managed to understand is that they stand for Multi and Single Pattern Matching, and that MPM is done first (I guessed as prefilter?) and SPM second.
SPM then does more in-depth analysis, for instance it is what handles the distance, within, etc. keywords from the rule.
Is there any specific documentation or explanation? It would appear, especially since hyperscan has been introduced, that the existence of the SPM is not as necessary as it might’ve been beforehand, and so I’m trying to understand if there’s more of a legacy related structure, or if there’s something I’m missing (very likely, I would add)