Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1124
Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
Chapter 30
Example PCRE Keyword Values
L
ICENSE
: Protection
The following examples show values that you could enter for
pcre
, with
descriptions of what each example would match.
•
/feedback[(\d{0,1})]?\.cgi/U
This example searches packet payload for
feedback
, followed by zero or
one numeric character, followed by
.cgi
, and located only in URI data.
This example would match:
•
•
feedback.cgi
•
feedback1.cgi
•
feedback2.cgi
•
feedback3.cgi
This example would not match:
•
•
feedbacka.cgi
•
feedback11.cgi
•
feedback21.cgi
•
feedbackzb.cgi
•
/^ez(\w{3,5})\.cgi/iU
This example searches packet payload for
ez
at the beginning of a string,
followed by a word of 3 to 5 letters, followed by
.cgi
. The search is
case-insensitive and only searches URI data.
This example would match:
•
This example would match:
•
EZBoard.cgi
•
ezman.cgi
•
ezadmin.cgi
•
EZAdmin.cgi
This example would not match:
•
•
ezez.cgi
•
fez.cgi
•
abcezboard.cgi
•
ezboardman.cgi
•
/mail(file|seek)\.cgi/U
This example searches packet payload for
mail
, followed by either
file
or
seek
, in URI data.
This example would match:
•
•
mailfile.cgi
•
mailseek.cgi
This example would not match:
•
•
MailFile.cgi
•
mailfilefile.cgi