https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464133#M91540 <HTML><HEAD></HEAD><BODY><P>Thanks - I had been distracted and chased other issues. This explanation certainly is helpful!</P></BODY></HTML> Thu, 20 Oct 2005 01:18:36 GMT kurtpatzer 2005-10-20T01:18:36Z https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464129#M91536 <P>I understand the use of the ? character in a regex to match on 0 or 1 occurances of the previous character. But, I don't understand what it means when it is in braces. Some examples:</P><P></P><P>Sig 3200 RegEx ends with [? \r\n\t], it appears that there is a space after the ?. This seems to be matching on any white space (space, carriage return, newline or tab). But why is the ? important at the beginning.</P><P></P><P>Maybe a simpler example: signature 3232 looks for the string finger.pl in a case insensitive fashion, but the regEx ends in [?]. Whta is the purpose of the ? in braces?</P><P></P><P>Thanks,</P><P>KEP</P><P></P> Sun, 10 Mar 2019 09:40:28 GMT https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464129#M91536 kurtpatzer 2019-03-10T09:40:28Z https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464130#M91537 <HTML><HEAD></HEAD><BODY><P>When a "?" is in brackets, which signifies a character class, it means a match on the "?" character itself. Operators have no special meaning inside character classes, this includes "+,*,?,{,}" etc...</P></BODY></HTML> Mon, 03 Oct 2005 21:12:37 GMT https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464130#M91537 bkubesh 2005-10-03T21:12:37Z https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464131#M91538 <HTML><HEAD></HEAD><BODY><P>Thanks for the clarification. That makes perfect sense &amp; I've seen it used before. I just did some testing with a few regex signatures that have the ? (often among other characters) &amp; it does work this way. So, now I think my question is how is a ? interpreted by an http daemon - it seems to be that some signatures look for the ? specifically, while others look for it or a number of other white space like characters (space, new line, tab, etc).</P><P></P><P></P></BODY></HTML> Thu, 06 Oct 2005 00:19:37 GMT https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464131#M91538 kurtpatzer 2005-10-06T00:19:37Z https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464132#M91539 <HTML><HEAD></HEAD><BODY><P>When a '?' is passed as part of a URL, it signifies arguments to be passed to the resource being accessed.</P><P></P><P>For example, the URL <A class="jive-link-custom" href="http://some.domain.com/search.cgi?cromulent" target="_blank">http://some.domain.com/search.cgi?cromulent</A> would be interpreted as someone passing the argument 'cromulent' to a CGI script called 'search.cgi' running on a web server using the name 'some.domain.com'.</P><P></P><P>This same technique has been used during some URL parsing attacks, format string attacks and other techniques where by a real resource on a server is accessed via a specifically crafted URL. (Remember <A class="jive-link-custom" href="http://some.domain.com/../../winnt/system32/cmd.exe?dir+c" target="_blank">http://some.domain.com/../../winnt/system32/cmd.exe?dir+c</A>: and all its Unicode and hex obfuscated cousins?)</P><P></P><P>I hope this helps,</P><P>Alex Arndt</P></BODY></HTML> Fri, 07 Oct 2005 11:59:04 GMT https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464132#M91539 a.arndt 2005-10-07T11:59:04Z https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464133#M91540 <HTML><HEAD></HEAD><BODY><P>Thanks - I had been distracted and chased other issues. This explanation certainly is helpful!</P></BODY></HTML> Thu, 20 Oct 2005 01:18:36 GMT https://community.cisco.com/t5/network-security/ips-regular-expression-character/m-p/464133#M91540 kurtpatzer 2005-10-20T01:18:36Z