Help with Regex for service-http

Unanswered Question
Jun 9th, 2009

Hi folks,

I'm trying to write a custom sig to match on certain values found in an HTTP GET request. The sig uses the service-http engine for TCP on standard WEBPORTS. For the sake of this example, lets say the string I'm looking for it:


In other words, if I see those three argument names (first, second, and third) then I want the sig to fire. The actual values of <somedata> is irrelevant.

The RegEx I'm using is:


However the sig is firing on requests that just match on seeing "&third" in the HTTP GET. Again, I need -all three- arguments present for the sig to fire.

Any suggestions? Am I on the right track with the regex?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
clausonna Wed, 06/10/2009 - 11:15

Ok, replying to my own post here, but I was able to resolve this issue. The regex does work as designed. I think to be safe I should add brackets to make it case-insensitive (e.g. (([Ff][Ii][Rr][Ss][Tt]=) ) but otherwise this matches the intended traffic.


This Discussion