Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS Regular expression character [?]

I understand the use of the ? character in a regex to match on 0 or 1 occurances of the previous character. But, I don't understand what it means when it is in braces. Some examples:

Sig 3200 RegEx ends with [? \r\n\t], it appears that there is a space after the ?. This seems to be matching on any white space (space, carriage return, newline or tab). But why is the ? important at the beginning.

Maybe a simpler example: signature 3232 looks for the string finger.pl in a case insensitive fashion, but the regEx ends in [?]. Whta is the purpose of the ? in braces?

Thanks,

KEP

4 REPLIES
Cisco Employee

Re: IPS Regular expression character [?]

When a "?" is in brackets, which signifies a character class, it means a match on the "?" character itself. Operators have no special meaning inside character classes, this includes "+,*,?,{,}" etc...

New Member

Re: IPS Regular expression character [?]

Thanks for the clarification. That makes perfect sense & I've seen it used before. I just did some testing with a few regex signatures that have the ? (often among other characters) & it does work this way. So, now I think my question is how is a ? interpreted by an http daemon - it seems to be that some signatures look for the ? specifically, while others look for it or a number of other white space like characters (space, new line, tab, etc).

Bronze

Re: IPS Regular expression character [?]

When a '?' is passed as part of a URL, it signifies arguments to be passed to the resource being accessed.

For example, the URL http://some.domain.com/search.cgi?cromulent would be interpreted as someone passing the argument 'cromulent' to a CGI script called 'search.cgi' running on a web server using the name 'some.domain.com'.

This same technique has been used during some URL parsing attacks, format string attacks and other techniques where by a real resource on a server is accessed via a specifically crafted URL. (Remember http://some.domain.com/../../winnt/system32/cmd.exe?dir+c: and all its Unicode and hex obfuscated cousins?)

I hope this helps,

Alex Arndt

New Member

Re: IPS Regular expression character [?]

Thanks - I had been distracted and chased other issues. This explanation certainly is helpful!

220
Views
5
Helpful
4
Replies
CreatePlease login to create content