03-14-2006 09:53 AM - edited 03-10-2019 01:55 AM
Signature 5045-0 (WWW xterm Remote Shell Access) fired an alarm with "log pair packets" enabled. I cannot provide the trace for confidentiality reasons. Here are the regex from that signature:
Arg Name Regex: term([ \t]|(%(20|09)))
Arg Value Regex: [-]display
Only the very 1st packet matched the Arg Value Regex (contained the string "-display"). It did not match the Arg Name Regex. How is this possible?
Do these particular regex's basically match anywhere in the HTTP stream and in any order?
03-14-2006 07:28 PM
It should be matching the arg name regex first. The alert though could be showing you the last matches of the packet hence only the Arg Value Regex.
The Arg Name Regex matches a space or tab, these could have come earlier in the stream or in the packet.
03-15-2006 07:22 AM
Shouldn't the ip logging process have the whole stream, or at least all relevant parts that match the regex?
Let's assume it doesn't, and I'm missing the first regex match. I'm just trying to understand how these particular regex's work. They will match query params and anywhere in the HTTP message-body (for an HTTP post for example). The order does matter, but for example a file upload of a text file with the following contents will trigger(i've tested and it does):
long term health insurance
The quick brown fox jumped over the fence
non-display
I just want to make sure that is that the expected behavior?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide