fast_pattern raw_search concept #1
Description
In order to speed json processing up a "fast_pattern" concept can be implemented. This way a data structure containing all fast_patterns can quickly try and match against the logs without processing the json. Once a match is made they engine can they process the log in json and they start match the rest of the rule. Both fast_pattern and fast_pattern:only; can be implemented depending on what is needed.
Suricata has a good explanation of how their fast_pattern works!
https://suricata.readthedocs.io/en/suricata-6.0.0/rules/fast-pattern-explained.html