How to use Regular Expressions for creating custom Intrusion Prevention Signatures


Article ID: 178174


Updated On:


Endpoint Protection


How can I leverage Regular Expressions to create custom Intrusion Prevention Signatures (IPS)?


You can use regular expressions in the IPS signature content. By default, the regular expressions are case-sensitive.


Regular expressions use the following format:

regexpcontent="string value" (offset , depth) opt

offset Specifies the start of the bytes in the packet data, from which the IPS engine matches the signature pattern.

depth Specifies the length of the packet data in which the IPS engine matches the signature pattern.

opt Includes the C and H options.

• The C option makes the expression not case-sensitive.
• The H option specifies HTTP decoding.
• If there is no option, the entire data packet is matched.

Regular expressions support the following characteristics:

• Multiple regexpcontent
• Case-sensitivity
• Binary format. The format is \x or \X with two Hex digits, like \xA9.

Table: Syntax for regular expressions

Symbol Description
Character Matches itself, unless it is a special character (metacharacter):
. \ [ ] * + ^ $
. Matches any character and means one or more.
\ Matches the character following it, except when followed by:
· A left round bracket or a right round bracket.
· A left angle bracket or right angle bracket.
· A digit from 1 to 9.
For example, (see [7],[8],[9])
The \ character is used as an escape character for all other metacharacters as well as itself. When used in a set ([4]), \ character is treated as an ordinary character.
[set] [^set] Matches one of the characters in the set.
If the first character in the set is "^", it matches a character NOT in the set, i.e., it complements the set. A shorthand S-E is used to specify a set of characters S up to E, inclusive. The special characters "]" and "-" have no special meaning if they appear as the first chars in the set.
For example:
· [a-z]: Matches any alphabetic character
· [^]-]: Matches any character except ] and -
· [^A-Z]: Matches any character except alpha character
· [a-z A-Z]: Matches any alphabetic character. It is the same as [a-z] or [A-Z]
* Any regular expression from [1] to [4] followed by a closure character (*) that matches zero or more matches of that form.
+ Same as *, except that + matches one or more
  A regular expression in the form [1] to [10], enclosed as \(form\) matches what form matches. The enclosure creates a set of tags that are used for [8] and for pattern substitution. The tagged forms are numbered starting from 1.
  A \ followed by a digit from 1 to 9 matches whatever a previously tagged regular expression ([7]) matched.
A regular expression that starts with a \< construct and/or ending with a \> construct, restricts the pattern matching to the beginning of a word, and/or the end of a word. A word is defined to be a character string beginning and/or ending with the characters A-Z a-z 0-9 and _. It must also be preceded or followed by any character outside those mentioned.
N/A A composite regular expression xy where x and y are in the form [1] to [10] matches the longest match of x followed by a match for y.
A regular expression that starts with a ^ character and/or ending with a $ character, restricts the pattern matching to the beginning of the line, or the end of line [anchors]. Elsewhere in the pattern, ^ and $ are treated as ordinary characters.