String Matching

emusican · ‎10-15-2003

How do you account for spaces in the regex string? Suppose I wanted to match on the word "thanks." How can I set the custom sig to account for the space before and after the word, as well as making sure "thank" doesnt show up, only "thanks." I have experimented a bit with the minimum length option in the custom string, but when I set it to 6 bytes, I get no string matches at all for "thanks." Does the option work at all or is it bugged?

Is there a web page that goes into string matching with VMS in deeper detail?

anthall · ‎10-15-2003

To match " thanks " you would use the regex "[ ]thanks[ ]". This would only match is there were spaces before and after the work thanks."thank" would never match. If you are refering to MinMatchLength when you write "minimum length" then yes, this option works and has no known bugs. This option is used when a wild card is used in the regex. For example, you want to look for an overflow in a path description with the following regex:

RegexString [/\\][^/\\]*[\-/\\]

MinMatchLength 200

This would only alarm if there were over two hundred characters between the slashes (a very long directory name). Without a wildcard or repeat operator (ie. * or +) MinMatchLength is of no use in matching a regex.

There is plenty of information about regex in general on the internet. I would recommend becomming familiar with the standards of regex first, then look to Cisco documentation for the special considerations relating to the regex implementation in the sensors.

emusican · ‎10-15-2003

Thanks for the info. One more thing:

Can you use boolean expressions? For instance, if I wanted to match on thanks OR welcome would I write the regex like this:

[ ]thanks[ ]||[ ]welcome[ ]

thanks for the help

Eric

anthall · ‎10-15-2003

You can use 'Or'ing in 4.0 and later.