I'm attempting to create a Suricata rule that will match a packet if and only if all content is found and in a specific order.
The problem with my current rule is that it will match even if the packet content is test2 test1.
Is there a way to achieve this functionality without using pcre?
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"Test Rule"; flow:established,to_server; content:"test1"; fast_pattern; content:"test2"; distance:0; classtype:web-application-activity; sid:5182976; rev:2;)
I figured out that the method I was using to test the Suricata signatures was duplicating the tested data at some point causing for the signature to always fire.
As to answer my own question, content order can be enforced by adding a distance modifier after the first content match.
As seen in:
content:"one"; content:"two"; distance:0; content:"three"; distance:0; . . .
As far as I can tell, the fast_pattern keyword can be omitted.