Regexp case sensitivity

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Regexp case sensitivity

Not applicable

I'm trying to create case insensitive regexp for data filtering, however couldn't find any standard regexp way which would work.

Also when I tried to workaround and created following data pattern [Vv][Ii][Dd][Ii][Nn][Ii][Aa][Mn] (which is perfectly valid regexp in my opinion)  I received data-object-patter-validation error.

Any suggestions how to do it ?

2 REPLIES 2

L4 Transporter

While it doesn't answer your specific question, the Admin Guide does a fair job of explaining how the regex works in PAN-OS. I've extracted the pages from a section called "About Data Patterns" and attached them here.  In short, though, the data patterns are case sensitive, so I think you'd have to use an "or" function for the pattern you're looking for:

An excerpt:

The following are examples of valid custom patterns:


.*((Confidential)|(CONFIDENTIAL))
     – Looks for the word “Confidential” or “CONFIDENTIAL” anywhere
     – “.*” at the beginning specifies to look anywhere in the stream
     – Does not match “confidential” (all lower case)

.*(Press Release).*((Draft)|(DRAFT)|(draft))
– Looks for “Press Release” followed by various forms of the word draft, which may
indicate that the press release isn't ready to be sent outside the company

In looking at the pattern you gave as an example, for one, I think the last letter is incorrect and you'd want it to be [Mm] and not [Mn].  I know, picky picky. Smiley Happy  Secondly, I think the pattern you want would be:

.*([Vv]).*([Ii]).*([Dd]).*([Ii]).*([Nn]).*([Ii]).*([Aa]).*([Mm])

But if this is all you put in, this triggers an error, since the pattern fails to meet the minimum 7 byte requirement.  Don't ask me why, but that's happens when I try it.  So my other question is, can you front-end or back-end this with another string to meet the 7 bytes?  For example, when I use:

test123.*([Vv]).*([Ii]).*([Dd]).*([Ii]).*([Nn]).*([Ii]).*([Aa]).*([Mm])

the pattern is accepted and I believe it would work.

Outside of this, I think you'd have to just use whatever you thought would be the most common capitalizations.... VIDINIAM, vidiniam, Vidiniam, VidiNiam, etc. and do OR functions around those as shown in the examples above.

You are right, your answer doesn't answer my question Smiley Happy and I only ask when I can't find answer in the manual Smiley Happy

  • 3142 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!