Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
5
Helpful
4
Replies

IPS Regular expression character [?]

kurtpatzer
Level 1
Level 1

‎10-03-2005 11:04 AM - edited ‎03-10-2019 01:40 AM

I understand the use of the ? character in a regex to match on 0 or 1 occurances of the previous character. But, I don't understand what it means when it is in braces. Some examples:

Sig 3200 RegEx ends with [? \r\n\t], it appears that there is a space after the ?. This seems to be matching on any white space (space, carriage return, newline or tab). But why is the ? important at the beginning.

Maybe a simpler example: signature 3232 looks for the string finger.pl in a case insensitive fashion, but the regEx ends in [?]. Whta is the purpose of the ? in braces?

Thanks,

KEP

Labels:
0 Helpful
4 Replies 4

bkubesh
Level 1
Level 1

‎10-03-2005 02:12 PM

When a "?" is in brackets, which signifies a character class, it means a match on the "?" character itself. Operators have no special meaning inside character classes, this includes "+,*,?,{,}" etc...

0 Helpful

kurtpatzer
Level 1
Level 1
In response to bkubesh

‎10-05-2005 05:19 PM

Thanks for the clarification. That makes perfect sense & I've seen it used before. I just did some testing with a few regex signatures that have the ? (often among other characters) & it does work this way. So, now I think my question is how is a ? interpreted by an http daemon - it seems to be that some signatures look for the ? specifically, while others look for it or a number of other white space like characters (space, new line, tab, etc).

0 Helpful

a.arndt
Level 3
Level 3
In response to kurtpatzer

‎10-07-2005 04:59 AM

When a '?' is passed as part of a URL, it signifies arguments to be passed to the resource being accessed.

For example, the URL http://some.domain.com/search.cgi?cromulent would be interpreted as someone passing the argument 'cromulent' to a CGI script called 'search.cgi' running on a web server using the name 'some.domain.com'.

This same technique has been used during some URL parsing attacks, format string attacks and other techniques where by a real resource on a server is accessed via a specifically crafted URL. (Remember http://some.domain.com/../../winnt/system32/cmd.exe?dir+c: and all its Unicode and hex obfuscated cousins?)

I hope this helps,

Alex Arndt

kurtpatzer
Level 1
Level 1
In response to a.arndt

‎10-19-2005 06:18 PM

Thanks - I had been distracted and chased other issues. This explanation certainly is helpful!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card