Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
0
Helpful
2
Replies

Don't forget the parenthesis

kluu_ironport
Level 2
Level 2

‎02-25-2008 04:55 PM

Don't forget the parenthesis when you're putting trying to match against multiple patterns. This is applicable to both message filters and content filters.

For example, this condition below

if (attachment-filename == ".exe|.hlp|.msi|.scr|.wsf|.wsh$") {
quarantine ("Policy");
}

is not the same as this,

if (attachment-filename == "\\.(exe|hlp|msi|scr|wsf|wsh)$") {
quarantine ("Policy");
}


These will potentially give you two different results. Almost always use the ()'s to wrap around pattern.

Labels:
0 Helpful
2 Replies 2

steven_geerts
Level 1
Level 1

‎02-25-2008 09:47 PM

Well..... the question remains...
What will be the result if you forget the parenthesis? If the device accepts the policy without them, it must have some function (or is this a bug in the filter checking?)

Steven

0 Helpful

kluu_ironport
Level 2
Level 2

‎02-26-2008 04:02 AM

It's not so much a bug, but instead you get different results than you expect.

For example, given this condition below:

if (attachment-filename == ".exe|.hlp|.msi|.wsh$") {
quarantine ("Policy");
}

You would think it means filename that end with those extension. Yet, it doesn't.

What it's really saying is:

if attachment-filename has "any character followed by exe" or "any character followed by hlp" or any character followed by msi" or "ends with any character and wsh"

that's how the system would interpret it since it using Python regular expression.

. --> any character
$ ----> ends with
| (pipe) ---> OR statement

There are around 8 special character that mean something special in Python regex with respect to the Ironport.

.
$
^
( )
|
*

The rest can be found in the User Guide. I forget them at the moment. :)

So, by simply leaving out the parenthesis, it means something completely different.

That was the point I was driving at. With regular expressions, you have to be super careful of what you're trying to match against.

To best write regular expressions to match filenames or other things, it's always best to start out with the objective you're trying to match.

i.e I have attachment filenames that I want to match. I only want to match against the attachment filenames that ends with .exe, .bat, etc.

so, to do this, I would want something like this:

if ( atttachment-filename =="\\.(exe|bat|com)$" )

Since "." means any character in Python regex, you need to put the double backslash in front of it to derefence it. Then within parenthesis and separated by |'s, you put in the extensions you want to match. Then you end it with a "$", to indicate that it has to be found at the end of the filename as opposed to the beginning or the middle.

One last thing, if possible, either run your regex by another pair of eyes, preferably someone with some scripting/perl/regex experience as a sanity check or do a lot of testing. There is a built-in testing section the GUI and CLI interface of the Ironport that you can use. On the GUI, it's "System Administration > Trace". On the CLI, it's simply "trace".




Well..... the question remains... 
What will be the result if you forget the parenthesis? If the device accepts the policy without them, it must have some function (or is this a bug in the filter checking?)

Steven

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents