Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Bronze

Help with Regex for service-http

Hi folks,

I'm trying to write a custom sig to match on certain values found in an HTTP GET request. The sig uses the service-http engine for TCP on standard WEBPORTS. For the sake of this example, lets say the string I'm looking for it:

first=<somedata>&second=<somedata>&third=<somedata>

In other words, if I see those three argument names (first, second, and third) then I want the sig to fire. The actual values of <somedata> is irrelevant.

The RegEx I'm using is:

((first=).*(&second=).*(&third=).*)

However the sig is firing on requests that just match on seeing "&third" in the HTTP GET. Again, I need -all three- arguments present for the sig to fire.

Any suggestions? Am I on the right track with the regex?

Thanks!!

1 REPLY
Bronze

Re: Help with Regex for service-http

Ok, replying to my own post here, but I was able to resolve this issue. The regex does work as designed. I think to be safe I should add brackets to make it case-insensitive (e.g. (([Ff][Ii][Rr][Ss][Tt]=) ) but otherwise this matches the intended traffic.

193
Views
0
Helpful
1
Replies
CreatePlease to create content