Suricata

I was looking at the 1 character MPM patterns to see how they are used in rules, since they can be bad for MPM matching. I have seen several rules where there is a specific first character matching. I’m wondering if it would be worth having a special test based on just checking the first character of the buffer.

Options:
1) A table indexed by the first character of the buffer, that returns a set of rules that are enabled. If the only content is that first character, the rule would be enabled
2) Use the first character in selecting the Pattern Group. For example, if the first character is one that has an exact match use one group, otherwise a second group.

For example, 2010486, has only one content:|17| with depth:1.

I count 204 rules in a recent install-full set of rules with “grep “depth:1;” | grep –v offset | wc –l” and not commented.