Re: [mod-security-users] regular expressions
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] regular expressions
|
From: Terje S. <te...@wa...> - 2007-11-09 18:32:31
|
Regexps can of course be hard to get into and understand, but IMO, please keep the list clean and send general regexp questions somewhere else... -Terje On Nov 9, 2007 7:01 PM, Brian Rectanus <Bri...@br...> wrote: > BTW All, > > Please continue to post questions as to what regex used in the rules > mean. PCRE is hard to understand and follow at times. They take a lot > of practice to write well and read correctly. The Core Rules use very > complex regexes (further complicated by an optimizer) and many of them > are very difficult to read. > > Read up on the basics (http://perldoc.perl.org/perlre.html). > > If that does not answer your questions (and it is a very large topic). > I (or someone else here) would be happy to answer any PCRE questions. > Becoming proficient in regex writing (or even reading) will help you a > lot in rule writing. > > If there is need (or want), perhaps I can put up a blog on the topic. > > later, > -B > > > Brian Rectanus wrote: > > Hi Ken, > > > > Thanks for your feedback. See my comments inline... > > > > Ken Senior wrote: > >> Can anyone give advice for demystifying regular expressions in > >> Modsecurity? I know regular expressions in certain contexts, but not in > >> modsecurity. It would be really nice to include at least something in > >> the manual on this. For example, > >> > >> !^apache.*perl > >> > >> What does this mean? Does it mean NOT matching "apache" OR "perl". If > > > > > > The '!' negates the regex as your have correctly stated. This is > > actually in the docs for SecRule, but needs improved. > > > > The '^' anchors the match to the start of the string. The '.' means > > "any character" and the '*' means "zero or more of the preceding match" > > which is a '.' in this case and thus '.*' means "anything, including > > nothing". > > > > The entire regex means: > > > > Does not match the word "apache" at the start of the string followed by > > the word "perl" anywhere after that. > > > >> so, I'd like to add wget to the list. So, would this be: > >> > >> !^apache.*perl.*wget > > > > > > An OR is '|'. For example: > > > > !(?:^apache.*perl|wget) > > > > The '(?:<regex>)' groups a subregex without capturing the results. A > > (<regex>) does the same, but captures the results. The ?: version is > > just more efficient if you do not need the captured results. > > > > This regex then means: > > > > Does not match the word "apache" at the start of the string followed by > > the word "perl" anywhere after that NOR the word "wget" anywhere in the > > string. > > > > Hope that helps a bit. But you should consider reading the perl > > compatible regular expressions docs. > > > > http://perldoc.perl.org/perlre.html > > > > -B > > > > > -- > Brian Rectanus > Breach Security > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
