Negative lookahead regular expression not working

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Negative lookahead regular expression not working

Hi

Bit of an advanced regex feature, but I would like to set up a custom vulnerability signature to detect browsers (user-agent) that are not Internet Explorer. True, one could detect Firefox specifically, but there are so many different browsers in the wild that it is impossible to match them all.

The regex I'm attempting therefore is: User-Agent: (?!.*MSIE).*

The regular expression would match if any browser type (user-agent) is not MS Internet Explorer, which is what I need.

However, PANOS 4.0.0 doesn't seem to like this syntax and returns an error:-

Operation Failed:

-> signature > standard > Firefox -> and-condition -> And Condition 1 -> or-condition-> Or Condition 1 -> operator -> pattern-match -> pattern "User-Agent: (?!.*MSIE).* is invalid. syntax error at ?

Is there any other way to achieve the detection of non-MSIE browsers?

Thanks

Kind regards, Ben

Highlighted
L4 Transporter

Hi Ben,

As you've figured out, the answer to your question is no we don't support negative lookahead regex. I think it's doable, but it may not be supported in regex. Instead we could expose a negative flag that you can associate with a pattern in the signature. So you would first look for User-Agent, then MSIE with a negative flag, which would trigger if MSIE was not found after the User-Agent trigger. This will require some software and engine work. If this works for you, can you have your SE log a feature request and we will see where we can get it scheduled in.

Thanks,

Alfred

Highlighted
Not applicable

Hi,

As i have the same problem and that currently, the PAN OS 4.0.3 still doesn't support negative regexp, i would know if there is a fix coming or not?

Thanks for answers,

Alexis

Highlighted
L0 Member

I would be *very* interested in this feature as well: any news on implementation?

Highlighted
L3 Networker

No, PA said implementation would have negative impact on performance. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!