topic Re: Regex Not matching when ? is in the URL. in Custom Signatures

Regex Not matching when ? is in the URL.

jpeters — Thu, 17 Mar 2016 05:29:05 GMT

I am trying to setup a custom application to match based on URL request which contains:

search=

This is the only consistent 7 byte string in the URL. This works fine unless the request contains a preceeding '?' in the URL.

For example the following URL would not match

/some.php?af=352485245&search=blahblah

While this URL would match:

/some.php&af=352485245&search=blahblah

I am assuming this is because we are hitting the ? and stopping there. How would I write this pattern so that if there is a preceeding ? anywhere in the URL, it is ignored or treated as a literal '?'.

Re: Regex Not matching when ? is in the URL.

abjain — Thu, 17 Mar 2016 06:44:58 GMT

Which context are you using. Please try using the http-req-params

Re: Regex Not matching when ? is in the URL.

rcole — Thu, 17 Mar 2016 10:51:28 GMT

Good morning, jpeters.

As abjain stated, http-req-uri-path and http-req-params contain some distinctions that will help you match in this case.

See page 24 on this document: https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/58569