snort --help-config http_inspect | grep http_inspect.profile
+=== SDF Preprocessor
+
+The Snort 2.X SDF Preprocessor is gone, replaced by ips option `sd_pattern`.
+The sd_pattern rule option is synonymous with the sd_pattern option used
+for gid:138 rules, but has a different syntax. A major difference in syntax
+is the use of Hyperscan pattern matching library which provides a regex
+language similar to PCRE.
+
+To facilitate continued performance, sd_pattern rule option is implemented
+with Hyperscan pattern matching library. The rule option is now also utilized
+as a "fast pattern" in the Snort engine which provides a significant performance
+improvement over the separate detection step of earlier implementations.
+
+The preprocessor alert SDF_COMBO_ALERT (139:1) has been removed and has no
+replacement in Snort 3.X. This is because the rule offered no additional
+value over gid:138 rules and was difficult to interpret the result of.
+
+For more information, See Features > Sensitive Data Filtering for details.
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
//--------------------------------------------------------------------------
-// rule_metadata.cc author Josh Rosenbaum <jrosenba@cisco.com>
+// rule_sd_pattern.cc author Victor Roemer <viroemer@cisco.com>
#include <sstream>
#include <vector>
projects / thirdparty / snort3.git / commitdiff
