I understand the use of the ? character in a regex to match on 0 or 1 occurances of the previous character. But, I don't understand what it means when it is in braces. Some examples:
Sig 3200 RegEx ends with [? \r\n\t], it appears that there is a space after the ?. This seems to be matching on any white space (space, carriage return, newline or tab). But why is the ? important at the beginning.
Maybe a simpler example: signature 3232 looks for the string finger.pl in a case insensitive fashion, but the regEx ends in [?]. Whta is the purpose of the ? in braces?
Thanks for the clarification. That makes perfect sense & I've seen it used before. I just did some testing with a few regex signatures that have the ? (often among other characters) & it does work this way. So, now I think my question is how is a ? interpreted by an http daemon - it seems to be that some signatures look for the ? specifically, while others look for it or a number of other white space like characters (space, new line, tab, etc).
When a '?' is passed as part of a URL, it signifies arguments to be passed to the resource being accessed.
For example, the URL http://some.domain.com/search.cgi?cromulent would be interpreted as someone passing the argument 'cromulent' to a CGI script called 'search.cgi' running on a web server using the name 'some.domain.com'.
This same technique has been used during some URL parsing attacks, format string attacks and other techniques where by a real resource on a server is accessed via a specifically crafted URL. (Remember http://some.domain.com/../../winnt/system32/cmd.exe?dir+c: and all its Unicode and hex obfuscated cousins?)
I hope this helps,