Cisco Cisco FirePOWER Appliance 8360
32-34
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
You can use modifying options after you specify regular expression syntax in the
pcre
keyword’s value.
These modifiers perform Perl, PCRE, and Snort-specific processing functions. Modifiers always appear
at the end of the PCRE value, and appear in the following format:
at the end of the PCRE value, and appear in the following format:
/pcre/ismxAEGRBUIPHDMCKSY
where
ismxAEGRBUPHMC
can include any of the modifying options that appear in the following tables.
Tip
Optionally, you can surround the regular expression and any modifying options with quotes, for
example,
example,
“/pcre/ismxAEGRBUIPHDMCKSY”
. The option of using quotes accommodates experienced users
accustomed to previous versions when quotes were required instead of optional. The rule editor does not
display quotation marks when you display a rule after saving it.
display quotation marks when you display a rule after saving it.
The following table describes options you can use to perform Perl processing functions.
The following table describes the PCRE modifiers you can use after the regular expression.
The following table describes the Snort-specific modifiers that you can use after the regular expression.
The HTTP preprocessor must be enabled to allow processing of rules using the
C
,
H
,
U
,
M
, or
P
expression
modifiers. When the HTTP preprocessor is disabled and you enable rules that use these modifiers, you
are prompted whether to enable the preprocessor when you save the policy. See
are prompted whether to enable the preprocessor when you save the policy. See
Table 32-18
Perl-Related Post Regular Expression Options
Option
Description
i
Makes the regular expression case-insensitive.
s
The dot character (.) describes all characters except the newline or
\n
character. You can use
"s"
as an option
to override this and have the dot character match all characters, including the newline character.
m
By default, a string is treated as a single line of characters, and
^
and
$
match the beginning and ending of a
specific string. When you use
"m"
as an option,
^
and
$
match content immediately before or after any newline
character in the buffer, as well as at the beginning or end of the buffer.
x
Ignores white space data characters that may appear within the pattern, except when escaped (preceded by a
backslash) or included inside a character class.
backslash) or included inside a character class.
Table 32-19
PCRE-Related Post Regular Expression Options
Option
Description
A
The pattern must match at the beginning of the string (same as using
^
in a regular expression).
E
Sets
$
to match only at the end of the subject string. (Without
E
,
$
also matches immediately before the final
character if it is a newline, but not before any other newline characters).
G
By default,
* +
and
?
are “greedy,” which means that if two or more matches are found, they will choose the
longest match. Use the G character to change this so that these characters always choose the first match unless
followed by a question mark character (
followed by a question mark character (
?
). For example,
*?
+
?
and
??
would be greedy in a construct using the
G modifier, and any incidences of
*
,
+
, or
?
without the additional question mark will not be greedy.