what’s the meaning of “toserver_chunk_size” ? can you give me a detail example in rule matching ? thanks
1 Like
Hello there! 
With regards to toserver_chunk_size, this configuration value is used by our reassembly engine, to reassemble TCP flow traffic. It affects the size of the portion of stream that is inspected by the engine.
(More details in our documentation: 10.1. Suricata.yaml — Suricata 7.0.0-dev documentation)
I can’t answer your question about a rule example, but to be honest I don’t quite know if it is used in them. I’m inclined to say it isn’t, and that it affects the engine …more in terms of performance and maybe resource consumption…
(I’m saying that after looking for direct usage examples in the default suricata ruleset and in our Suricata-verify tests, and not finding any)
what’s the difference between “fast_pattern” and “fast_pattern:only”?
Hi,
The fast_pattern keyword in a rule overrides Suricata’s selection of which content to use for the fast pattern match.
Suggest reviewing https://suricata.readthedocs.io/en/latest/rules/fast-pattern-explained.html for more information on fast patterns and how Suricata uses them.