Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

1124

Understanding and Writing Intrusion Rules

Understanding Keywords and Arguments in Rules

Chapter 30

Example PCRE Keyword Values

: Protection

The following examples show values that you could enter for 

pcre

, with 

descriptions of what each example would match.

/feedback[(\d{0,1})]?\.cgi/U

This example searches packet payload for 

feedback

, followed by zero or 

one numeric character, followed by 

.cgi

, and located only in URI data.

This example would match:
•

feedback.cgi 

feedback1.cgi

feedback2.cgi 

feedback3.cgi

This example would not match:
•

feedbacka.cgi

feedback11.cgi

feedback21.cgi

feedbackzb.cgi

/^ez(\w{3,5})\.cgi/iU

This example searches packet payload for 

ez

 at the beginning of a string, 

followed by a word of 3 to 5 letters, followed by 

.cgi

. The search is 

case-insensitive and only searches URI data.
This example would match:
•

EZBoard.cgi

ezman.cgi

ezadmin.cgi

EZAdmin.cgi

This example would not match:
•

ezez.cgi

fez.cgi

abcezboard.cgi

ezboardman.cgi

/mail(file|seek)\.cgi/U

This example searches packet payload for 

mail

, followed by either 

file

 or 

seek

, in URI data.

This example would match:
•

mailfile.cgi

mailseek.cgi

This example would not match:
•

MailFile.cgi

mailfilefile.cgi