Cisco Cisco Firepower Management Center 4000
32-32
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Tip
Optionally, you can surround your Perl-compatible regular expression with quote characters, for
example,
example,
pcre_expression
or
“pcre_expression“.
The option of using quotes accommodates
experienced users accustomed to previous versions when quotes were required instead of optional. The
rule editor does not display quotation marks when you display a rule after saving it.
rule editor does not display quotation marks when you display a rule after saving it.
You can also use
m?regex?
, where
?
is a delimiter other than /. You may want to use this in situations
where you need to match a forward slash within a regular expression and do not want to escape it with
a backslash. For example, you might use
a backslash. For example, you might use
m?regex? ismxAEGRBUIPHDMCKSY
where
regex
is your
Perl-compatible regular expression and
ismxAEGRBUIPHDMCKSY
is any combination of modifier options.
See
for more information about regular
expression syntax.
The following sections provide more information about building valid values for the
pcre
keyword:
•
describes the common syntax used in
Perl-compatible regular expressions.
•
describes the options you can use to modify your regular
expression.
•
gives example usage of the
pcre
keyword in rules.
Perl-Compatible Regular Expression Basics
License:
Protection
The
pcre
keyword accepts standard Perl-compatible regular expression (PCRE) syntax. The following
sections describe that syntax.
Tip
Although this section describes the basic syntax you may use for PCRE, you may want to consult an
online reference or book dedicated to Perl and PCRE for more advanced information.
online reference or book dedicated to Perl and PCRE for more advanced information.
Metacharacters
License:
Protection
Metacharacters are literal characters that have special meaning within regular expressions. When you
use them within a regular expression, you must “escape” them by preceding them with a backslash.
use them within a regular expression, you must “escape” them by preceding them with a backslash.
The following table describes the metacharacters you can use with PCRE and gives examples of each.
Table 32-16
PCRE Metacharacters
Metacharacter
Description
Example
.
Matches any character except newlines. If
s
is used
as a modifying option, it also includes newline
characters.
characters.
abc.
matches
abcd
,
abc1
,
abc#
, and so on.
*
Matches zero or more occurrences of a character or
expression.
expression.
abc*
matches
abc
,
abcc
,
abccc
,
abccccc
, and so on.
?
Matches zero or one occurrence of a character or
expression.
expression.
abc?
matches
abc
.
+
Matches one or more occurrences of a character or
expression.
expression.
abc+
matches
abc
,
abcc
,
abccc
,
abccccc
, and so on.