Snort's fast pattern matcher is crucial for performance, as it helps determine which packets qualify for the additional processing that comes with rule option evaluation. At a high-level, the fast pattern engine uses a single content match from a rule and evaluates it against the packet to determine if further rule processing should continue against the traffic. The ideal fast pattern is one which, if found, is very likely to result in a rule match. Fast patterns that match frequently against unrelated traffic will cause Snort to work hard with little to show for it.
Fast pattern matches are either explicitly set with the
fast_pattern option or set automatically to the longest content match if the option is not specified. However, it's important to keep in mind that the longest pattern is sometimes not the most unique, and so one can add the
fast_pattern modifier to a content option to maximize performance.
During rule evaluation, the content string selected as the
fast_pattern match will automatically be skipped if possible. This is a change from Snort 2. Previously, users would have to specify
fast_pattern:only to evaluate a fast_pattern match only once; Snort 3 now intelligently evaluates the
fast_pattern match only once if it is able.
Note: Certain buffers are not eligible to contain
fast_patterncontent matches, and those include the following:
Users can also specify that only a portion of a content match be used as as
fast_pattern. This is specified with two modifiers,
fast_pattern_length. The former sets the number of leading characters of this content the fast pattern should exclude, while the latter sets the number of characters from this content to include in the fast pattern matcher. Valid values are 0:65535 and 1:65535 for offset and length, respectively.
fast_pattern_offset offset, fast_pattern_length length
# Only the "/not_a_cnc_endpoint.php" portion of the match is used as the fast pattern content:"/index/not_a_cnc_endpoint.php",fast_pattern_offset 6,fast_pattern_length 23;
This above option will, however, still evaluate the full content match normally as long as the fast pattern check is successful.