Negative lookahead regular expression not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Negative lookahead regular expression not working

L3 Networker

Hi

Bit of an advanced regex feature, but I would like to set up a custom vulnerability signature to detect browsers (user-agent) that are not Internet Explorer. True, one could detect Firefox specifically, but there are so many different browsers in the wild that it is impossible to match them all.

The regex I'm attempting therefore is: User-Agent: (?!.*MSIE).*

The regular expression would match if any browser type (user-agent) is not MS Internet Explorer, which is what I need.

However, PANOS 4.0.0 doesn't seem to like this syntax and returns an error:-

Operation Failed:

-> signature > standard > Firefox -> and-condition -> And Condition 1 -> or-condition-> Or Condition 1 -> operator -> pattern-match -> pattern "User-Agent: (?!.*MSIE).* is invalid. syntax error at ?

Is there any other way to achieve the detection of non-MSIE browsers?

Thanks

Kind regards, Ben

4 REPLIES 4

L4 Transporter

Hi Ben,

As you've figured out, the answer to your question is no we don't support negative lookahead regex. I think it's doable, but it may not be supported in regex. Instead we could expose a negative flag that you can associate with a pattern in the signature. So you would first look for User-Agent, then MSIE with a negative flag, which would trigger if MSIE was not found after the User-Agent trigger. This will require some software and engine work. If this works for you, can you have your SE log a feature request and we will see where we can get it scheduled in.

Thanks,

Alfred

Hi,

As i have the same problem and that currently, the PAN OS 4.0.3 still doesn't support negative regexp, i would know if there is a fix coming or not?

Thanks for answers,

Alexis

I would be *very* interested in this feature as well: any news on implementation?

No, PA said implementation would have negative impact on performance. 

  • 3037 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!