Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1117
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
Regular expressions are useful when searching for content that could be
displayed in a variety of ways. The content may have different attributes that you
want to account for in your attempt to locate it within a packet’s payload.
Note that the regular expression syntax used in intrusion rules is a subset of the
Note that the regular expression syntax used in intrusion rules is a subset of the
full regular expression library and varies in some ways from the syntax used in
commands in the full library. When adding a
pcre
keyword using the rule editor,
enter the full value in the following format:
!/
pcre
/ ismxAEGRBUIPHDMCKSY
where:
•
! is an optional negation (use this if you want to match patterns that do not
match the regular expression).
•
/
pcre
/
is a Perl-compatible regular expression.
•
ismxAEGRBUIPHDMCKSY
is any combination of modifier options.
Also note that you must escape the characters listed in the following table for the
rules engine to interpret them correctly when you use them in a PCRE to search
for specific content in a packet payload.
TIP!
Optionally, you can surround your Perl-compatible regular expression with
quote characters, for example,
pcre_expression
or
“
pcre_expression
“.
The
option of using quotes accommodates experienced users accustomed to
previous versions when quotes were required instead of optional. The rule editor
does not display quotation marks when you display a rule after saving it.
You can also use
m?regex?
, where
?
is a delimiter other than /. You may want to
use this in situations where you need to match a forward slash within a regular
expression and do not want to escape it with a backslash. For example, you might
use
m?
regex
? ismxAEGRBUIPHDMCKSY
where
regex
is your Perl-compatible
regular expression and
ismxAEGRBUIPHDMCKSY
is any combination of modifier
options. See
on page 1118 for more
information about regular expression syntax.
Escaped PCRE Characters
Y
OU
MUST
ESCAPE
...
WITH
A
BACKSLASH
...
OR
H
EX
CODE
...
# (hash mark)
\#
\x23
; (semicolon)
\;
\x3B
| (vertical bar)
\|
\x7C
: (colon)
\:
\x3A