Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Don't forget the parenthesis

Don't forget the parenthesis when you're putting trying to match against multiple patterns. This is applicable to both message filters and content filters.

For example, this condition below

if (attachment-filename == ".exe|.hlp|.msi|.scr|.wsf|.wsh$") {
quarantine ("Policy");
}

is not the same as this,

if (attachment-filename == "\\.(exe|hlp|msi|scr|wsf|wsh)$") {
quarantine ("Policy");
}


These will potentially give you two different results. Almost always use the ()'s to wrap around pattern.

2 REPLIES
Community Member

Re: Don't forget the parenthesis

Well..... the question remains...
What will be the result if you forget the parenthesis? If the device accepts the policy without them, it must have some function (or is this a bug in the filter checking?)

Steven

Community Member

Re: Don't forget the parenthesis

It's not so much a bug, but instead you get different results than you expect.

For example, given this condition below:

if (attachment-filename == ".exe|.hlp|.msi|.wsh$") {
quarantine ("Policy");
}

You would think it means filename that end with those extension. Yet, it doesn't.

What it's really saying is:

if attachment-filename has "any character followed by exe" or "any character followed by hlp" or any character followed by msi" or "ends with any character and wsh"

that's how the system would interpret it since it using Python regular expression.

. --> any character
$ ----> ends with
| (pipe) ---> OR statement

There are around 8 special character that mean something special in Python regex with respect to the Ironport.

.
$
^
( )
|
*

The rest can be found in the User Guide. I forget them at the moment. :)

So, by simply leaving out the parenthesis, it means something completely different.

That was the point I was driving at. With regular expressions, you have to be super careful of what you're trying to match against.

To best write regular expressions to match filenames or other things, it's always best to start out with the objective you're trying to match.

i.e I have attachment filenames that I want to match. I only want to match against the attachment filenames that ends with .exe, .bat, etc.

so, to do this, I would want something like this:

if ( atttachment-filename =="\\.(exe|bat|com)$" )

Since "." means any character in Python regex, you need to put the double backslash in front of it to derefence it. Then within parenthesis and separated by |'s, you put in the extensions you want to match. Then you end it with a "$", to indicate that it has to be found at the end of the filename as opposed to the beginning or the middle.

One last thing, if possible, either run your regex by another pair of eyes, preferably someone with some scripting/perl/regex experience as a sanity check or do a lot of testing. There is a built-in testing section the GUI and CLI interface of the Ironport that you can use. On the GUI, it's "System Administration > Trace". On the CLI, it's simply "trace".




Well..... the question remains... 
What will be the result if you forget the parenthesis? If the device accepts the policy without them, it must have some function (or is this a bug in the filter checking?)

Steven

150
Views
0
Helpful
2
Replies
CreatePlease to create content