Project

General

Profile

Actions

Bug #5013

open

fast pattern discrepancy when using engine-analysis

Added by Peter Manev almost 3 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using an example dns rule:

alert dns $HOME_NET any -> any any (msg:"DNS Lookup"; dns.query; content:"johny.bravo"; nocase; endswith; sid:111; rev:1; )

Running the engine analysis command:

 /opt/suritest/bin/suricata -S test-dns.rules  --engine-analysis -l logs/ -T

The results in

logs/rules_analysis.txt

and
logs/rules.json

differ in terms of fast_pattern (one says it is on the content buffer the other that fast_pattern does not exist)
== Sid: 111 ==
alert dns $HOME_NET any -> any any (msg:"DNS Lookup"; dns.query; content:"johny.bravo"; nocase; endswith; sid:111; rev:1; )
    App layer protocol is dns.
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "johny.bravo" on "dns request query (dns_query)" buffer.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.

{
  "raw": "alert dns $HOME_NET any -> any any (msg:\"DNS Lookup\"; dns.query; content:\"johny.bravo\"; nocase; endswith; sid:111; rev:1; )",
  "id": 111,
  "gid": 1,
  "rev": 1,
  "msg": "DNS Lookup",
  "app_proto": "dns",
  "requirements": [
    "flow" 
  ],
  "flags": [
    "dst_any",
    "sp_any",
    "dp_any",
    "applayer",
    "toserver",
    "prefilter" 
  ],
  "pkt_engines": [],
  "engines": [
    {
      "name": "dns_query",
      "direction": "toserver",
      "is_mpm": true,
      "app_proto": "dns",
      "progress": 1,
      "matches": [
        {
          "name": "content",
          "content": {
            "pattern": "johny.bravo",
            "length": 11,
            "nocase": true,
            "negated": false,
            "starts_with": false,
            "ends_with": true,
            "is_mpm": true,
            "no_double_inspect": true,
            "fast_pattern": false
          }
        }
      ]
    }
  ],
  "lists": {},
  "mpm": {
    "buffer": "dns_query",
    "pattern": "johny.bravo",
    "length": 11,
    "nocase": true,
    "negated": false,
    "starts_with": false,
    "ends_with": true,
    "is_mpm": true,
    "no_double_inspect": true,
    "fast_pattern": false
  }
}

The question is which one is the accurate one.

Actions

Also available in: Atom PDF