Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Custom Signature Regex

Does the Regex engine used by the IPS support lookahead syntax? I'm working on creating a custom signature using the TCP String engine that I want to fire if it both finds a given string, and does not find a second string. A negative lookahead seemed like the logical way to do this but when I try to use one I get a regex error from the sensor.

5 REPLIES
Gold

Re: Custom Signature Regex

** update. sorry, just realized that this is not what you asked. I don't see anything in the docs anyway that refers to lookahead assertions **

yes, well according to the docs anyway. I've never tested though. In my experience, Cisco sometimes just inserts verbatim snippets of text from other documentation into their guides. The MARS docs say [or used to anyway] that they support them as well and they don't. Please let us know if they work for you.

http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_command_reference_chapter09186a0080592dcb.html#wp480571

"The following regular expression uses parentheses for recall:

• a(.)bc(.)\1\2 matches an a followed by any character, followed by bc followed by any character, followed by the first any character again, followed by the second any character again. For example, the regular expression can match aZbcTZT. The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression."

Cisco Employee

Re: Custom Signature Regex

The CLI supports regex in CLI commands that are *not* config commands. And that CLI regex does support back reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cmdref/crintro.htm#wp480571

However, CLI regex isn't the same as signature regex, Siggnature regex is the following (and does not support back reference):

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swappa.htm#wp787101

There may be a way to do what you want - stringA then not-stringB - feel free to drop me a quick email offline with some detail at wsulym@cisco.com, we'll see what we can do.

Gold

Re: Custom Signature Regex

good to know, but I'm confused now. So where exactly is the 6.x regex syntax documentation? I can't find it in the user guide, or the CLI configuration guide, or the "installing and using 6.x" guide. And the syntax in CLI reference guide is not the right stuff.

I see one link to the 5.x command reference doc (which still mentions nothing about lookahead assertions, but that's hardly the point) and one link to the "installing and using 4.x guide".

It used to be in the 4.x user guide (which seems like the appropriate place for it).

Cisco Employee

Re: Custom Signature Regex

the cli regex table is in the 6.x docs, "introducing the cli":

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/cmdref/crintro.htm#wp480571

the signature regex table was (and i believe still is) missing from the 6.x docs. you can use the one from the 4.x docs as its the same:

http://www.cisco.com/en/US/docs/security/ips/4.0/configuration/guide/idm/swappa.html#wp787101

Gold

Re: Custom Signature Regex

thanks. what would I use the regex for in CLI if not for signatures? event display filtering perhaps?

why not have someone update the 5.x and 6.x docs, especially since it appears to be a cut-and-paste effort? That seems like a pretty significant omission.

202
Views
0
Helpful
5
Replies
CreatePlease to create content