Bit of an advanced regex feature, but I would like to set up a custom vulnerability signature to detect browsers (user-agent) that are not Internet Explorer. True, one could detect Firefox specifically, but there are so many different browsers in the wild that it is impossible to match them all.
The regex I'm attempting therefore is: User-Agent: (?!.*MSIE).*
The regular expression would match if any browser type (user-agent) is not MS Internet Explorer, which is what I need.
However, PANOS 4.0.0 doesn't seem to like this syntax and returns an error:-
-> signature > standard > Firefox -> and-condition -> And Condition 1 -> or-condition-> Or Condition 1 -> operator -> pattern-match -> pattern "User-Agent: (?!.*MSIE).* is invalid. syntax error at ?
Is there any other way to achieve the detection of non-MSIE browsers?
Kind regards, Ben
As you've figured out, the answer to your question is no we don't support negative lookahead regex. I think it's doable, but it may not be supported in regex. Instead we could expose a negative flag that you can associate with a pattern in the signature. So you would first look for User-Agent, then MSIE with a negative flag, which would trigger if MSIE was not found after the User-Agent trigger. This will require some software and engine work. If this works for you, can you have your SE log a feature request and we will see where we can get it scheduled in.
As i have the same problem and that currently, the PAN OS 4.0.3 still doesn't support negative regexp, i would know if there is a fix coming or not?
Thanks for answers,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!