Suricata

Suricata considers all file.data rule uses to use the same higher level buffer type, independent of the protocol the rules apply to. In practice a file.data can apply to either a specific protocol like smb or http, or it applies to all protocols that support file.data.

Looking at existing rulesets we see very many HTTP file.data rules and relatively few for other protocols. Due to how the mpm/fast_pattern handles file.data as a single buffer, this means that the scanning for file.data patterns in SMB will include the patterns for HTTP. This is obviously inefficient, as this means Suricata is doing expensive work that can never lead to a rule match.