fast_pattern
Snort's fast pattern matcher is crucial for performance, as it helps determine which packets qualify for the additional processing that comes with rule option evaluation. At a high-level, the fast pattern engine uses a single content match from a rule and evaluates it against the packet to determine if further rule processing should continue against the traffic. The ideal fast pattern is one which, if found, is very likely to result in a rule match. Fast patterns that match frequently against unrelated traffic will cause Snort to work hard with little to show for it.
Fast pattern matches are either explicitly set with the fast_pattern option or set automatically to the longest content match if the option is not specified. However, it's important to keep in mind that the longest pattern is sometimes not the most unique, and so one can add the fast_pattern modifier to a content option to maximize performance.
During rule evaluation, the content string selected as the fast_pattern match will automatically be skipped if possible. This is a change from Snort 2. Previously, users would have to specify fast_pattern:only to evaluate a fast_pattern match only once; Snort 3 now intelligently evaluates the fast_pattern match only once if it is able.
Note: Certain buffers are not eligible to contain
fast_patterncontent matches, and those include the following:http_raw_cookie,http_param,http_raw_body,http_version,http_raw_request,http_raw_status,http_raw_trailer, andhttp_true_ip.
Format:
fast_pattern
Example:
content:"super_secret_encryption_key",fast_pattern;
fast_pattern_offset, fast_pattern_length
Users can also specify that only a portion of a content match be used as as fast_pattern. This is specified with two modifiers, fast_pattern_offset and fast_pattern_length. The former sets the number of leading characters of this content the fast pattern should exclude, while the latter sets the number of characters from this content to include in the fast pattern matcher. Valid values are 0:65535 and 1:65535 for offset and length, respectively.
Format:
fast_pattern_offset offset, fast_pattern_length lengthExample:
# Only the "/not_a_cnc_endpoint.php" portion of the match is used as the fast pattern
content:"/index/not_a_cnc_endpoint.php",fast_pattern_offset 6,fast_pattern_length 23;
This above option will, however, still evaluate the full content match normally as long as the fast pattern check is successful.