Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cisco IDS/IPS regular expressions

Is there any way to perform a NOT on a regular expression match. For instance, in PCRE it would be !"/[A-Z]+/i". I cannot determine if there is a valid way to do this on a Cisco IDS regex string. Any help or info would be greatly appreciated.

3 REPLIES
Cisco Employee

Re: Cisco IDS/IPS regular expressions

Sure can.

[^a-z] would be "not character a-z"

[^ABCDZ] would be "not character A or B or C or D or Z]

New Member

Re: Cisco IDS/IPS regular expressions

But how about against an entire expression. Such as I want to say match on expression "BLAH\:[A-Z]+\n" then do a NOT on it. So match if not equal to the entire expression.

thanks.

Cisco Employee

Re: Cisco IDS/IPS regular expressions

To some extent, there is a way to do this. It would need to be anchored, and couldn't contain a repetition operator.

And by anchored I mean tied to something, otherwise the first not class in the regex below ([^Qq]) would fire on every/any character that was not a Q or q.

So I can say "not QUIT", regardless of case as follows:

[^Qq]|[Qq][^Uu]|[Qq][Uu][^Ii]|[Qq][Uu][Ii][^Tt]

so:

BLAH([^Qq]|[Qq][^Uu]|[Qq][Uu][^Ii]|[Qq][Uu][Ii][^Tt])

matches:

BLAHz

BLAHqz

BLAHquiz

BLAHq1

etc. etc.

but would not match:

BLAHquit

BLAHQUIT

BLAHQUit

etc. etc.

So yes, but limited.

406
Views
5
Helpful
3
Replies
CreatePlease to create content