Custom Signature Regex

jdavidcarpenter · ‎01-09-2008

Does the Regex engine used by the IPS support lookahead syntax? I'm working on creating a custom signature using the TCP String engine that I want to fire if it both finds a given string, and does not find a second string. A negative lookahead seemed like the logical way to do this but when I try to use one I get a regex error from the sensor.

mhellman · ‎01-10-2008

** update. sorry, just realized that this is not what you asked. I don't see anything in the docs anyway that refers to lookahead assertions **

yes, well according to the docs anyway. I've never tested though. In my experience, Cisco sometimes just inserts verbatim snippets of text from other documentation into their guides. The MARS docs say [or used to anyway] that they support them as well and they don't. Please let us know if they work for you.

http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_command_reference_chapter09186a0080592dcb.html#wp480571

"The following regular expression uses parentheses for recall:

â€¢ a(.)bc(.)\1\2 matches an a followed by any character, followed by bc followed by any character, followed by the first any character again, followed by the second any character again. For example, the regular expression can match aZbcTZT. The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression."

wsulym · ‎01-10-2008

The CLI supports regex in CLI commands that are *not* config commands. And that CLI regex does support back reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cmdref/crintro.htm#wp480571

However, CLI regex isn't the same as signature regex, Siggnature regex is the following (and does not support back reference):

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swappa.htm#wp787101

There may be a way to do what you want - stringA then not-stringB - feel free to drop me a quick email offline with some detail at wsulym@cisco.com, we'll see what we can do.

mhellman · ‎01-10-2008

good to know, but I'm confused now. So where exactly is the 6.x regex syntax documentation? I can't find it in the user guide, or the CLI configuration guide, or the "installing and using 6.x" guide. And the syntax in CLI reference guide is not the right stuff.

I see one link to the 5.x command reference doc (which still mentions nothing about lookahead assertions, but that's hardly the point) and one link to the "installing and using 4.x guide".

It used to be in the 4.x user guide (which seems like the appropriate place for it).

wsulym · ‎01-11-2008

the cli regex table is in the 6.x docs, "introducing the cli":

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/cmdref/crintro.htm#wp480571

the signature regex table was (and i believe still is) missing from the 6.x docs. you can use the one from the 4.x docs as its the same:

http://www.cisco.com/en/US/docs/security/ips/4.0/configuration/guide/idm/swappa.html#wp787101

mhellman · ‎01-11-2008

thanks. what would I use the regex for in CLI if not for signatures? event display filtering perhaps?

why not have someone update the 5.x and 6.x docs, especially since it appears to be a cut-and-paste effort? That seems like a pretty significant omission.