Manualsbrain.com
  1. Handbücher
  2. Marken
  3. Cisco
  4. Cisco FirePOWER Appliance 7115

Cisco Cisco FirePOWER Appliance 7115

Download
Seite von 2442
Version 5.3
Sourcefire 3D System User Guide
1117
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
Regular expressions are useful when searching for content that could be 
displayed in a variety of ways. The content may have different attributes that you 
want to account for in your attempt to locate it within a packet’s payload.
Note that the regular expression syntax used in intrusion rules is a subset of the 
full regular expression library and varies in some ways from the syntax used in 
commands in the full library. When adding a 
pcre
 keyword using the rule editor, 
enter the full value in the following format:
!/
pcre
/ ismxAEGRBUIPHDMCKSY
where:
! is an optional negation (use this if you want to match patterns that do not 
match the regular expression).
/
pcre
/
 is a Perl-compatible regular expression.
ismxAEGRBUIPHDMCKSY
 is any combination of modifier options.
Also note that you must escape the characters listed in the following table for the 
rules engine to interpret them correctly when you use them in a PCRE to search 
for specific content in a packet payload.
TIP!
Optionally, you can surround your Perl-compatible regular expression with 
quote characters, for example, 
pcre_expression
 or 
pcre_expression
“.
The 
option of using quotes accommodates experienced users accustomed to 
previous versions when quotes were required instead of optional. The rule editor 
does not display quotation marks when you display a rule after saving it.
You can also use 
m?regex?
, where 
?
 is a delimiter other than /. You may want to 
use this in situations where you need to match a forward slash within a regular 
expression and do not want to escape it with a backslash. For example, you might 
use 
m?
regex
? ismxAEGRBUIPHDMCKSY
 where 
regex
 is your Perl-compatible 
regular expression and 
ismxAEGRBUIPHDMCKSY
 is any combination of modifier 
options. See 
 on page 1118 for more 
information about regular expression syntax.
Escaped PCRE Characters 
Y
OU
 
MUST
 
ESCAPE
...
WITH
 
A
 
BACKSLASH
...
OR
 H
EX
 
CODE
...
# (hash mark)
\#
\x23
; (semicolon)
\;
\x3B
| (vertical bar)
\|
\x7C
: (colon)
\:
\x3A