01-17-2014 04:23 PM
01-22-2014 07:00 PM
I am not sure what your goal is, so there may be a much better way to accomplish what your are trying to accomplish.. That being said, here is a link to the admin guide for 5.0:
On pages 235 and 236 the "regex" rules are described. This is not full blown regex as you are likely used to. It is a very cut down version.
Here are some "regex(s)" that I have come up with as an example. The rules state that your data pattern "regex" must be at least 7bytes long. This is constrained to the string you are searching for and not anything between brackets (so no tricking the system with logic (and, or, etc.). In these examples I am keying on HTML form post data - so, uploading a file via a web form. As you can see, the "string" here is "form-data":
Any IP:
.*(form\-data).*((([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).*
RFC 1918 (10/8) IP:
.*(form\-data).*(([10])\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).*
RFC 1918 (172.16/12) IP:
.*(form\-data).*(([172])\.((1[6-9])|(2[0-9])|(3[0-1]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).*
RFC 1918 (192.168/16) IP:
.*(form\-data).*(([192])\.([168])\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).*
NOTE:
For looking in email, you might use the string "subject" as a key word. The "regex" would then look like this:
Any IP:
.*(subject).*((([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).*
!!!WARNING!!!:
This will slow down your commit times, and if you use all of these at the same time, your commit may fail. This is because there is a limited memory space for compiling custom signatures. The more complex the signature, the more memory the compile takes. I tested these on a PA-200 and the commits failed for the most part. I was able to get the smaller ones to commit and work, but again, this is not recommended.
I hope this helps.
-chadd.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
