Custom Signature Regex

Unanswered Question
Jan 9th, 2008
User Badges:

Does the Regex engine used by the IPS support lookahead syntax? I'm working on creating a custom signature using the TCP String engine that I want to fire if it both finds a given string, and does not find a second string. A negative lookahead seemed like the logical way to do this but when I try to use one I get a regex error from the sensor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mhellman Thu, 01/10/2008 - 06:02
User Badges:
  • Blue, 1500 points or more

** update. sorry, just realized that this is not what you asked. I don't see anything in the docs anyway that refers to lookahead assertions **

yes, well according to the docs anyway. I've never tested though. In my experience, Cisco sometimes just inserts verbatim snippets of text from other documentation into their guides. The MARS docs say [or used to anyway] that they support them as well and they don't. Please let us know if they work for you.

"The following regular expression uses parentheses for recall:

• a(.)bc(.)\1\2 matches an a followed by any character, followed by bc followed by any character, followed by the first any character again, followed by the second any character again. For example, the regular expression can match aZbcTZT. The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression."

mhellman Thu, 01/10/2008 - 08:07
User Badges:
  • Blue, 1500 points or more

good to know, but I'm confused now. So where exactly is the 6.x regex syntax documentation? I can't find it in the user guide, or the CLI configuration guide, or the "installing and using 6.x" guide. And the syntax in CLI reference guide is not the right stuff.

I see one link to the 5.x command reference doc (which still mentions nothing about lookahead assertions, but that's hardly the point) and one link to the "installing and using 4.x guide".

It used to be in the 4.x user guide (which seems like the appropriate place for it).

wsulym Fri, 01/11/2008 - 06:49
User Badges:
  • Cisco Employee,

the cli regex table is in the 6.x docs, "introducing the cli":

the signature regex table was (and i believe still is) missing from the 6.x docs. you can use the one from the 4.x docs as its the same:

mhellman Fri, 01/11/2008 - 06:54
User Badges:
  • Blue, 1500 points or more

thanks. what would I use the regex for in CLI if not for signatures? event display filtering perhaps?

why not have someone update the 5.x and 6.x docs, especially since it appears to be a cut-and-paste effort? That seems like a pretty significant omission.


This Discussion