Re: [mod-security-users] regular expressions
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] regular expressions
|
From: Brian R. <Bri...@br...> - 2007-11-09 18:02:00
|
BTW All, Please continue to post questions as to what regex used in the rules mean. PCRE is hard to understand and follow at times. They take a lot of practice to write well and read correctly. The Core Rules use very complex regexes (further complicated by an optimizer) and many of them are very difficult to read. Read up on the basics (http://perldoc.perl.org/perlre.html). If that does not answer your questions (and it is a very large topic). I (or someone else here) would be happy to answer any PCRE questions. Becoming proficient in regex writing (or even reading) will help you a lot in rule writing. If there is need (or want), perhaps I can put up a blog on the topic. later, -B Brian Rectanus wrote: > Hi Ken, > > Thanks for your feedback. See my comments inline... > > Ken Senior wrote: >> Can anyone give advice for demystifying regular expressions in >> Modsecurity? I know regular expressions in certain contexts, but not in >> modsecurity. It would be really nice to include at least something in >> the manual on this. For example, >> >> !^apache.*perl >> >> What does this mean? Does it mean NOT matching "apache" OR "perl". If > > > The '!' negates the regex as your have correctly stated. This is > actually in the docs for SecRule, but needs improved. > > The '^' anchors the match to the start of the string. The '.' means > "any character" and the '*' means "zero or more of the preceding match" > which is a '.' in this case and thus '.*' means "anything, including > nothing". > > The entire regex means: > > Does not match the word "apache" at the start of the string followed by > the word "perl" anywhere after that. > >> so, I'd like to add wget to the list. So, would this be: >> >> !^apache.*perl.*wget > > > An OR is '|'. For example: > > !(?:^apache.*perl|wget) > > The '(?:<regex>)' groups a subregex without capturing the results. A > (<regex>) does the same, but captures the results. The ?: version is > just more efficient if you do not need the captured results. > > This regex then means: > > Does not match the word "apache" at the start of the string followed by > the word "perl" anywhere after that NOR the word "wget" anywhere in the > string. > > Hope that helps a bit. But you should consider reading the perl > compatible regular expressions docs. > > http://perldoc.perl.org/perlre.html > > -B > -- Brian Rectanus Breach Security |
