The prefilter keyword allows Suricata to use keywords that are not part of the multi-pattern-matcher detection engine as fast_patterns. (prefilter reference: 8.10. Prefiltering Keywords — Suricata 7.0.2-dev documentation)
The MPM detection engine is what looks at the fast_pattern content of a signature to determine if the signature is evaluated further. (MPM reference: 12.1. Suricata.yaml — Suricata 7.0.2-dev documentation)
The current version of suricata.yaml has the following default settings (reference: https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1656C1-L1671C17):
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
inspection-recursion-limit: 3000
# If set to yes, the loading of signatures will be made after the capture
# is started. This will limit the downtime in IPS mode.
#delayed-detect: yes
prefilter:
# default prefiltering setting. "mpm" only creates MPM/fast_pattern
# engines. "auto" also sets up prefilter engines for other keywords.
# Use --list-keywords=all to see which keywords support prefiltering.
default: mpm
The default Suricata configuration only uses keywords that support MPM in the prefilter engine.
To obtain a current list of prefilter supported keywords, the following can be run from a command line:
suricata --list-keywords=csv | grep -F 'prefilter' | cut -f1 -d\;
which outputs the following list of keywords:
app-layer-protocol
tcp.ack
tcp.seq
tcp.flags
fragbits
fragoffset
ttl
itype
icode
icmp_id
icmp_seq
dsize
flow
fast_pattern
id
stream_size
flow.age
template2
icmpv6.mtu
tcp.mss
prefilter
The Suricata version used in for this writeup is 7.0.2-dev (1a132f454 2023-10-06).
So when would you use the prefilter keyword? A potential use case would be where the content matches are small (single or double bytes at a time).
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Using prefilter keywords"; \
flow:established,to_server; content:"|6f 94|"; dsize:2; stream_size:client,=,3; prefilter; \
classtype:misc-activity; sid:1; rev:1;)
This signature would use the stream_size values for the prefilter matching.
dsize keyword documentation: 8.7. Payload Keywords — Suricata 7.0.2-dev documentation
stream_size keyword documentation: 8.11. Flow Keywords — Suricata 7.0.2-dev documentation