Suricata

When reviewing many rules which contain unbuffered content matches a common pattern of matching on the end of the HTTP headers and the start of the HTTP body (either request or response) has been a frequent pattern. Because no buffer with this content exists, it's left unbuffered and is generally done to make a strong fast_pattern.

2021532 show below is a good example of this.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload M2"; flow:established,to_client; flowbits:isset,ET.BARTALEX; content:"text/plain|0d 0a 0d 0a|http"; fast_pattern; http.stat_code; content:"200"; file.data; content:"http"; within:4; pcre:"/^s?\x3a\x2f+[^\r\n\s]+\.exe/Ri"; classtype:trojan-activity; sid:2021532; rev:5; metadata:created_at 2015_07_24, updated_at 2024_03_06;)

Splitting this rule into buffers results in a less performant rule. However, as HTTP headers are compressed with HTTP/2, splitting the rule out into buffers is required when traffic can occur on either HTTP version.

As such, I'm wondering if it's possible to create a buffer that includes the HTTP headers and the start of HTTP body (with a sensible default length). This would result in the ability to continue using this pattern to make strong fast_patterns and function on HTTP1 and HTTP2.