Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
1
Replies

Help with Regex for service-http

clausonna
Level 3
Level 3

‎06-09-2009 11:05 AM - edited ‎03-10-2019 04:39 AM

Hi folks,

I'm trying to write a custom sig to match on certain values found in an HTTP GET request. The sig uses the service-http engine for TCP on standard WEBPORTS. For the sake of this example, lets say the string I'm looking for it:

first=<somedata>&second=<somedata>&third=<somedata>

In other words, if I see those three argument names (first, second, and third) then I want the sig to fire. The actual values of <somedata> is irrelevant.

The RegEx I'm using is:

((first=).*(&second=).*(&third=).*)

However the sig is firing on requests that just match on seeing "&third" in the HTTP GET. Again, I need -all three- arguments present for the sig to fire.

Any suggestions? Am I on the right track with the regex?

Thanks!!

Labels:
0 Helpful
1 Reply 1

clausonna
Level 3
Level 3

‎06-10-2009 11:15 AM

Ok, replying to my own post here, but I was able to resolve this issue. The regex does work as designed. I think to be safe I should add brackets to make it case-insensitive (e.g. (([Ff][Ii][Rr][Ss][Tt]=) ) but otherwise this matches the intended traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card