Hello again! Sorry for being a nuisance, but I have another question. The documentation states that regular expressions are executed last, after content matches: https://docs.suricata.io/en/latest/rules/payload-keywords.html#pcre-perl-compatible-regular-expressions. However, during testing, I found that this is not always the case (profiling files are attached). It turns out that in some cases, regular expressions can be executed faster than content-based searching. How can I predetermine the priority of checking regular expressions over content in a specific signature? Is this possible?
Another question while I’m at it. While studying the forum and available information, I discovered that there was previously an idea to reuse content match results from fast_pattern later (during signature checking in SPM). Why was this idea abandoned?
data.zip (189 Bytes)
rule_perf.log (636.2 KB)
suricata.rules (991.5 KB)