Re: Arg Name and Arg Value regex matching

mhellman · ‎03-14-2006

Signature 5045-0 (WWW xterm Remote Shell Access) fired an alarm with "log pair packets" enabled. I cannot provide the trace for confidentiality reasons. Here are the regex from that signature:

Arg Name Regex: term([ \t]|(%(20|09)))

Arg Value Regex: [-]display

Only the very 1st packet matched the Arg Value Regex (contained the string "-display"). It did not match the Arg Name Regex. How is this possible?

Do these particular regex's basically match anywhere in the HTTP stream and in any order?

jlimbo · ‎03-14-2006

It should be matching the arg name regex first. The alert though could be showing you the last matches of the packet hence only the Arg Value Regex.

The Arg Name Regex matches a space or tab, these could have come earlier in the stream or in the packet.

mhellman · ‎03-15-2006

Shouldn't the ip logging process have the whole stream, or at least all relevant parts that match the regex?

Let's assume it doesn't, and I'm missing the first regex match. I'm just trying to understand how these particular regex's work. They will match query params and anywhere in the HTTP message-body (for an HTTP post for example). The order does matter, but for example a file upload of a text file with the following contents will trigger(i've tested and it does):

long term health insurance

The quick brown fox jumped over the fence

non-display

I just want to make sure that is that the expected behavior?