Suricata

It seems that specifying a fast_pattern in base64_data is ignored both from an error/warning standpoint and from an actual fast_pattern assignment by suricata. It seems suricata should warn/fail on fast_pattern assignment in base64_data.

rule example:

alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)

suricata.log:

[52155] 29/3/2022 -- 20:20:41 - (detect-engine-loader.c:354) <Info> (SigLoadSignatures) -- 1 rule files processed. 1 rules successfully loaded, 0 rules failed

rules_fast_pattern.log:

== Sid: 123 ==
alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
    Fast Pattern analysis:
        Fast pattern matcher: http request method (http_method)
        Flags: None
        Fast pattern set: no
        Fast pattern only set: no
        Fast pattern chop set: no
        Original content: POST
        Final content: POST

This is Suricata version 7.0.0-dev (99b344336 2022-03-25)