Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Gold

Arg Name and Arg Value regex matching

Signature 5045-0 (WWW xterm Remote Shell Access) fired an alarm with "log pair packets" enabled. I cannot provide the trace for confidentiality reasons. Here are the regex from that signature:

Arg Name Regex: term([ \t]|(%(20|09)))

Arg Value Regex: [-]display

Only the very 1st packet matched the Arg Value Regex (contained the string "-display"). It did not match the Arg Name Regex. How is this possible?

Do these particular regex's basically match anywhere in the HTTP stream and in any order?

2 REPLIES
New Member

Re: Arg Name and Arg Value regex matching

It should be matching the arg name regex first. The alert though could be showing you the last matches of the packet hence only the Arg Value Regex.

The Arg Name Regex matches a space or tab, these could have come earlier in the stream or in the packet.

Gold

Re: Arg Name and Arg Value regex matching

Shouldn't the ip logging process have the whole stream, or at least all relevant parts that match the regex?

Let's assume it doesn't, and I'm missing the first regex match. I'm just trying to understand how these particular regex's work. They will match query params and anywhere in the HTTP message-body (for an HTTP post for example). The order does matter, but for example a file upload of a text file with the following contents will trigger(i've tested and it does):

long term health insurance

The quick brown fox jumped over the fence

non-display

I just want to make sure that is that the expected behavior?

174
Views
0
Helpful
2
Replies