Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
5
Helpful
3
Replies

Cisco IDS/IPS regular expressions

redray8
Level 1
Level 1

‎11-10-2008 06:18 AM - edited ‎03-10-2019 04:22 AM

Is there any way to perform a NOT on a regular expression match. For instance, in PCRE it would be !"/[A-Z]+/i". I cannot determine if there is a valid way to do this on a Cisco IDS regex string. Any help or info would be greatly appreciated.

Labels:
0 Helpful
3 Replies 3

wsulym
Cisco Employee
Cisco Employee

‎11-10-2008 06:56 AM

Sure can.

[^a-z] would be "not character a-z"

[^ABCDZ] would be "not character A or B or C or D or Z]

0 Helpful

redray8
Level 1
Level 1
In response to wsulym

‎11-10-2008 09:04 AM

But how about against an entire expression. Such as I want to say match on expression "BLAH\:[A-Z]+\n" then do a NOT on it. So match if not equal to the entire expression.

thanks.

0 Helpful

wsulym
Cisco Employee
Cisco Employee
In response to redray8

‎11-10-2008 11:44 AM

To some extent, there is a way to do this. It would need to be anchored, and couldn't contain a repetition operator.

And by anchored I mean tied to something, otherwise the first not class in the regex below ([^Qq]) would fire on every/any character that was not a Q or q.

So I can say "not QUIT", regardless of case as follows:

[^Qq]|[Qq][^Uu]|[Qq][Uu][^Ii]|[Qq][Uu][Ii][^Tt]

so:

BLAH([^Qq]|[Qq][^Uu]|[Qq][Uu][^Ii]|[Qq][Uu][Ii][^Tt])

matches:

BLAHz

BLAHqz

BLAHquiz

BLAHq1

etc. etc.

but would not match:

BLAHquit

BLAHQUIT

BLAHQUit

etc. etc.

So yes, but limited.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card